[GTER] CERT Advisory CA-2003-23 RPCSS Vulnerabilities in Microsoft Windows

Klaus Steding-Jessen jessen at nic.br
Wed Sep 10 20:00:00 -03 2003


CERT Advisory CA-2003-23 RPCSS Vulnerabilities in Microsoft Windows

   Original release date: September 10, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

     * Microsoft Windows NT Workstation 4.0
     * Microsoft Windows NT Server 4.0
     * Microsoft Windows NT Server 4.0, Terminal Server Edition
     * Microsoft Windows 2000
     * Microsoft Windows XP
     * Microsoft Windows Server 2003


   Microsoft  has  published  a bulletin describing three vulnerabilities
   that  affect  numerous  versions  of  Microsoft  Windows. Two of these
   vulnerabilities  are  remotely  exploitable  buffer overflows that may
   allow  an  attacker  to execute arbitrary code with system privileges.
   The  third vulnerability may allow a remote attacker to cause a denial
   of service.

I. Description

   The  Microsoft  RPCSS  Service  is  responsible  for  managing  Remote
   Procedure   Call   (RPC)  messages.  There  are  two  buffer  overflow
   vulnerabilities  in  the RPCSS service, which is enabled by default on
   many  versions  of  Microsoft Windows. These buffer overflows occur in
   sections  of  code  that  handle  DCOM activation messages sent to the
   RPCSS service.

   The  CERT/CC  is  tracking  these  vulnerabilities  as  VU#483492  and
   VU#254236,  which  correspond  to  CVE  candidates  CAN-2003-0715  and
   CAN-2003-0528,  respectively.  The  buffer overflows discussed in this
   advisory are different than those discussed in previous advisories.

   Microsoft has also published information regarding a denial-of-service
   vulnerability  in  the  RPCSS service. This vulnerability only affects
   Microsoft Windows 2000 systems.

   The  CERT/CC  is  tracking  this  vulnerability  as  VU#326746,  which
   corresponds  to  CVE  candidate  CAN-2003-0605. This vulnerability was
   previously discussed in CA-2003-19.

II. Impact

   By  exploiting  either  of the buffer overflow vulnerabilities, remote
   attackers  may  be  able  to  execute arbitrary code with Local System

   By  exploiting  the  denial-of-service vulnerability, remote attackers
   may  be  able to disrupt the RPCSS service. This may result in general
   system instability and require a reboot.

III. Solution

Apply a patch from Microsoft

   Microsoft  has  published  Microsoft  Security  Bulletin  MS03-039  to
   address this vulnerability. For more information, please see


   This bulletin supersedes MS03-026.

Block traffic to and from common Microsoft RPC ports

   As  an  interim  measure,  users  can  reduce the chance of successful
   exploitation  by blocking traffic to and from well-known Microsoft RPC
   ports, including
     * Port 135 (tcp/udp)
     * Port 137 (udp)
     * Port 138 (udp)
     * Port 139 (tcp)
     * Port 445 (tcp/udp)
     * Port 593 (tcp)

   To  prevent  compromised hosts from contacting other vulnerable hosts,
   the  CERT/CC  recommends  that  system administrators filter the ports
   listed above for both incoming and outgoing traffic.

Disable COM Internet Services and RPC over HTTP

   COM  Internet  Services (CIS) is an optional component that allows RPC
   messages  to  be  tunneled  over  HTTP ports 80 and 443. As an interim
   measure,  sites  that use CIS may wish to disable it as an alternative
   to blocking traffic to and from ports 80 and 443.

Disable DCOM

   Disable  DCOM  as  described  in MS03-039 and Microsoft Knowledge Base
   Article 825750.

   This  document  was  written by Jeffrey P. Lanza and is based upon the
   information in MS03-039.

   This document is available from:

CERT/CC Contact Information

   Email: cert at cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more

Getting security information

   CERT  publications  and  other security information are available from
   our web site

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo at cert.org. Please include in the body of your

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2003 Carnegie Mellon University.

   Revision History
Sep 10, 2003:  Initial release

Version: PGP 6.5.8


More information about the gter mailing list