From nowaywins@fastmail.fm Thu Jul 17 20:06:18 2003 From: computer security X-Sender: your_computersecurity@hotmail.com X-Originating-IP: [216.221.81.99] Date: Wed, 16 Jul 2003 18:16:14 -0400 Reply-To: computersecurity@yahoogroups.com Subject: [Computer Security Group] Fw: Microsoft Security Bulletin MS03-026: Buffer Overrun In RPC Interface Could Allow Code Execution(Q823980) Title: Buffer Overrun In RPC Interface Could Allow Code Execution (823980) Date: 16 July 2003 Software: Microsoft(r) Windows (r) NT 4.0 Microsoft Windows NT 4.0 Terminal Services Edition Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Impact: Run code of attacker's choice Max Risk: Critical Bulletin: MS03-026 Microsoft encourages customers to review the Security Bulletins at: http://www.microsoft.com/technet/security/bulletin/MS03-026.asp http://www.microsoft.com/security/security_bulletins/MS03-026.asp - - --------------------------------------------------------------- Issue: ====== Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the OSF (Open Software Foundation) RPC protocol, but with the addition of some Microsoft specific extensions. There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on TCP/IP port 135. This interface handles DCOM object activation requests sent by client machines (such as Universal Naming Convention (UNC) paths) to the server. To exploit this vulnerability, an attacker would need to send a specially formed request to the remote computer on port 135. Mitigating factors: ==================== - To exploit this vulnerability, the attacker would require the ability to send a specially crafted request to port 135 on the remote machine. For intranet environments, this port would normally be accessible, but for Internet connected machines, the port 135 would normally be blocked by a firewall. In the case where this port is not blocked, or in an intranet configuration, the attacker would not require any additional privileges. - Best practices recommend blocking all TCP/IP ports that are not actually being used. For this reason, most machines attached to the Internet should have port 135 blocked. RPC over TCP is not intended to be used in hostile environments such as the internet. More robust protocols such as RPC over HTTP are provided for hostile environments. Risk Rating: ============ Critical Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletins at http://www.microsoft.com/technet/security/bulletin/ms03-026.asp http://www.microsoft.com/security/security_bulletins/ms03-026.asp for information on obtaining this patch. [Non-text portions of this message have been removed] ------------------------ Yahoo! Groups Sponsor ---------------------~--> Free shipping on all inkjet cartridge & refill kit orders to US & Canada. Low prices up to 80% off. We have your brand: HP, Epson, Lexmark & more. http://www.c1tracking.com/l.asp?cid=5510 http://us.click.yahoo.com/GHXcIA/n.WGAA/ySSFAA/kgFolB/TM ---------------------------------------------------------------------~-> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/