New RPC flaw affects almost all versions of Windows

Microsoft has revealed that the RPC system in most versions of Windows contains a flaw that could allow remote attackers to take over a vulnerable system. Here's a look at the problem and how to fix it, along with this week's other major threats.

Microsoft Security Bulletin MS03-026 describes a patch for a Critical vulnerability in nearly all Windows versions. A buffer overrun flaw in the Remote Procedure Call (RPC) interface could allow an attacker to run arbitrary code on vulnerable systems.

The Last Stage of Delirium Research Group (LSD) held off announcing its discovery of the vulnerability in BugTraq until the patch was released. The group declined to publish any further details of the exploit, saying, "It should be emphasized that this vulnerability poses an enormous threat and appropriate patches provided by Microsoft should be immediately applied."

This buffer overrun flaw lies in the portion of the RPC protocol that handles TCP/IP message exchanges and can be exploited by sending a malformed message to port 135, which is monitored by the Distributed Component Object Model (DCOM) RPC interface.

Windows' version of RPC comes from the standard Open Software Foundation (OSF) version of the protocol, but Microsoft also adds some of its own extensions.

Using this exploit, an attacker could install software, alter data, or open new accounts on the vulnerable system. The vulnerability has been given the MITRE CVE designation CAN-2003-0352.

According to LSD, "The vulnerability affects default installations of Windows NT 4.0, Windows 2000, Windows XP as well as Windows Server 2003."

Microsoft indicated that this flaw affects Microsoft Windows NT 4.0 Terminal Services Edition but does not affect Windows Millennium Edition (and, by extension, the Windows 9x product line).

Risk level—Critical
Exploiting this vulnerability would give the attacker complete remote control over the computer.

Mitigating factors
Port 135 should be blocked at the firewall whenever possible on Internet-connected machines. Microsoft said in the security bulletin that RPC over HTTP is provided as a more suitable protocol for hostile environments such as the Internet.

The company recommends reading the MSDN paper "Writing a Secure RPC Client or Server" for the secure use of RPC and for more information on locking down this service appropriately. Another document, this one in TechNet, describes the ports used by RPC in Windows 2000 and other Windows servers.

To fix this problem, you can either apply the patch from MS03-026 or block port 135 at the firewall. Microsoft says the patch alters the DCOM interface so it properly checks input.

The workaround is to set up network firewalls to block all access to port 135. Then, the malformed message can't be received and the vulnerability is negated.

As Microsoft pointed out, "If you are using the Internet Connection Firewall in Windows XP or Windows Server 2003 to protect your Internet connection, it will by default block inbound RPC traffic from the Internet."

In the security bulletin, Microsoft also described a way to disable DCOM, but if it's disabled on a remote computer, you won't be able to access the computer remotely. Microsoft also offers a technical document about DCOM. The company reported that this issue will also be addressed in Windows 2000 Service Pack 5, Windows XP Service Pack 2, and Windows Server 2003 Service Pack 1.

Final word
This is clearly a dangerous vulnerability, and all administrators with Windows systems on their networks should take note.

Also watch out for…
A moderately serious DoS vulnerability has been found in Cisco IOS 11.x, 12.x, R11.x, and R12.x. This is described in the Cisco Security Advisory "Cisco IOS Interface Blocked by IPv4 Packets," which contains a workaround and links to the patch. Also see a report on the threat from and check there for the latest news.

MS03-028, "Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting Attack," is rated Important by Microsoft. This affects only Microsoft's Internet Security and Acceleration (ISA) Server 2000.

Microsoft also rates MS03-027, "Unchecked Buffer in Windows Shell Could Enable System Compromise," as Important, but it can allow an attacker to run arbitrary code. This vulnerability affects only Windows XP and is due to an unchecked buffer in a Windows shell function found in that software.

The Apache Software Foundation is recommending an immediate upgrade to version 2.0.47 of the Apache HTTP Server to fix four new DoS vulnerabilities. The CAN-2003-0192, CAN-2003-0253, and CAN-2003-0254 vulnerabilities are addressed in this version, which also adds some new features and fixes some bugs. See the Official Apache Announcement for further details.


Editor's Picks