[Am-info] With all these new found "holes," where's M$' "safe computing?"

[Fred A. Miller]

Microsoft Windows RPCSS Service DCOM Interface Vulnerabilities

CRITICAL:
Highly critical

IMPACT:
DoS, System access

WHERE:
=46rom local network

OPERATING SYSTEM:
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows NT 4.0 Server
Microsoft Windows NT 4.0 Server, Terminal Server Edition
Microsoft Windows NT 4.0 Workstation
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

DESCRIPTION:
Three vulnerabilities have been identified in Microsoft Windows,
which can be exploited by malicious people to compromise a vulnerable
system or cause a DoS (Denial of Service).

The vulnerabilities affect the DCOM (Distributed Component Object
Model) interface within the RPCSS Service and are caused due to
boundary errors and an unspecified error when handling certain RPC
messages.=20

Two of the vulnerabilities can be exploited to cause buffer overflows
allowing execution of arbitrary code on a vulnerable system with
"Local System" privileges. The third can be exploited to crash the
RPCSS service.

NOTE: Secunia would normally rate these kinds of vulnerabilities as
"Moderately critical", since systems only should expose RPC services
to other systems on a LAN.=20

However, since the vulnerabilities are similar to the issue exploited
by the Blaster worm, which infected numerous systems, the
vulnerabilities have been rated as "Highly critical" instead.

SOLUTION:
RPC traffic should be blocked at the network perimiter. Systems
should only accept it from trusted systems on a LAN.

Microsoft lists the following ports, which the RPCSS Service used for
DCOM activation listens on:
135/udp, 137/udp, 138/udp, 445/udp, 135/tcp, 139/tcp, 445/tcp, and
593/tcp.=20

If CIS (COM Internet Services) or "RPC over HTTP" has been enabled,
the service may also listen on ports 80/tcp and 443/tcp.

Microsoft has issued patches, which can be installed manually or via
WindowsUpdate.

Windows NT Workstation (requires SP6a installed):
http://www.microsoft.com/downloads/details.aspx?FamilyId=3D7EABAD74-9CA9-48=
=464-8DB5-CF8C188879DA&displaylang=3Den

Windows NT Server 4.0 (requires SP6a installed):
http://www.microsoft.com/downloads/details.aspx?FamilyId=3D71B6135C-F957-47=
02-B376-2DACCE773DC0&displaylang=3Den

Windows NT Server 4.0, Terminal Server Edition (requires SP6
installed):
http://www.microsoft.com/downloads/details.aspx?FamilyId=3D677229F8-FBBF-4F=
=464-A2E9-506D17BB883F&displaylang=3Den

Windows 2000 (requires SP2, SP3, or SP4 installed):
http://www.microsoft.com/downloads/details.aspx?FamilyId=3DF4F66D56-E7CE-44=
C3-8B94-817EA8485DD1&displaylang=3Den

Windows XP:
http://www.microsoft.com/downloads/details.aspx?FamilyId=3D5FA055AE-A1BA-4D=
4A-B424-95D32CFC8CBA&displaylang=3Den

Windows XP 64 bit Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=3D50E4FB51-4E15-4A=
34-9DC3-7053EC206D65&displaylang=3Den

Windows XP 64 bit Edition Version 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyId=3D80AB25B3-E387-44=
1F-9B6D-84106F66059B&displaylang=3Den

Windows Server 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyId=3D51184D09-4F7E-4F=
7B-87A4-C208E9BA4787&displaylang=3Den

Windows Server 2003 64 bit Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=3D80AB25B3-E387-44=
1F-9B6D-84106F66059B&displaylang=3Den

REPORTED BY / CREDITS:
eEye Digital Security
NSFOCUS Security Team
Xue Yong Zhi and Renaud Deraison, Tenable Network Security

ORIGINAL ADVISORY:
http://www.microsoft.com/technet/security/bulletin/MS03-039.asp

=2D-=20
"...Linux, MS-DOS, and Windows XP (also known as the Good, the Bad, and
the Ugly)."