• IDP Daily Update #1282
  posted: 10/10/08
  
• NSM Daily Update #1282
  posted: 10/10/08
  
• Deep Inspection 5.3r5 and above, 5.4, 6.0 #1282
  posted: 10/10/08
  
• Deep Inspection 5.1, 5.2, 5.3r4 and below #1274
  posted: 10/10/08
  
• Deep Inspection 5.0 #1132
  posted: 04/01/08
  
• Antivirus
  posted: 10/10/08

Text Size:        

• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability

Severity: CRITICAL

Description:

Microsoft Windows provides a DCOM (Distributed Component Object Model) interface to the RPC (Remote Procedure Call) protocol. A buffer overrun vulnerability has been reported in Microsoft Windows that can be exploited remotely via the DCOM RPC interface that listens on TCP/UDP port 135.

The issue is due to insufficient bounds checking of client DCOM object activation requests. A particular malformed RPC message may trigger this condition on a vulnerable system, causing memory to be corrupted with specific attacker-supplied values. Exploitation of this issue could result in execution of malicious instructions with Local System privileges on an affected system.

This issue may be exposed on other ports that the RPC Endpoint Mapper listens on, such as TCP and UDP ports 139, 135, 445 and 593. This is due to the following potential attack vectors:
ncacn_np:\pipe\epmapper
ncadg_ip_udp:135
ncacn_ip_tcp:135
ncacn_http:593

The API in question is 'CoGetInstanceFromFile'. Sending the 'szName' parameter of this API an unusually long string will trigger the overflow.

Under some configurations the Endpoint Mapper may receive traffic via port 80, such as when ncacn_http is active and COM Internet Services have been installed and enabled. Although this is not a default or reportedly not a common configuration, this could present an additional attack vector.

** UPDATED: There are credible rumors that an exploit has been developed and is currently circulating in the wild. Symantec has been observing a rise in activity directed towards port 135. This port is associated with this vulnerability and this spike of activity may indicate active exploitation or the early signs of a worm.

** It has been reported that the Microsoft-supplied patch for this issue may still leave systems exposed to a denial of service attack. The report specifically indicates that Windows 2000 with SP4 and the patch for MS03-026 are still vulnerable to a denial of service.

** July 31, 2003 - CERT has released an advisory announcing an increase in scanning and exploitation of this vulnerability.

** August 01, 2003 - There have been unconfirmed reports that Windows 9x systems with certain software installed may also be vulnerable to this issue. Reportedly, Windows 98 systems with .NET software installed may be vulnerable according to scans using various DCOM RPC vulnerability scanning tools. Symantec has not confirmed this behaviour and it may in fact be due to false positives generated by the scanners.

** August 02, 2003 - Symantec has received samples of what appears to be an automated hacking tool that exploits this vulnerability and opens backdoors on compromised hosts. This does not appear to be a worm as it does not seem to propagate by itself. Analysis is currently underway and updates will be published as more information becomes available.

** August 06, 2003 - Symantec is aware of publicly available source code for a mass auto-rooter that exploits this vulnerability. It may also be related to IRC botnets.

** August 08, 2003 - CERT/CC reported an unrelated vulnerability (VU#377804) in OSF DCE implementations released by various vendors that may reportedly be triggered by scanning and exploitation attempts for this issue. See BID 8371 for further details.

** August 11, 2003 - A worm exploiting this vulnerability is currently in the wild. Initial analysis suggests that the worm's executable file is named 'msblast.exe'. Further alerts will be released when details become available.

** October 27, 2003 - Symantec has captured a bot that is currently exploiting this condition in the wild over TCP port 445. Previous exploits released for this issue have always targeted TCP port 135.

*** December 9th, 2003 - Cisco has released version 1.7 of their W32.BLASTER Worm Mitigation Recommendations Security Notice. This update simply removed the Wireless LAN Solution Engine from the affected products section. Please see the referenced security notice for further details.

Affected Products:

• Avaya DefinityOne Media Servers
• Avaya IP600 Media Servers
• Avaya S3400 Message Application Server
• Avaya S8100 Media Servers
• Cisco Broadband Troubleshooter
• Cisco Building BroadBand Services Manager Hotspot 1.0.0
• Cisco Building Broadband Service Manager 5.1.0
• Cisco Building Broadband Service Manager 5.2.0
• Cisco Call Manager
• Cisco Call Manager 1.0.0
• Cisco Call Manager 2.0.0
• Cisco Call Manager 3.0.0
• Cisco Call Manager 3.1.0
• Cisco Call Manager 3.1.0 (2)
• Cisco Call Manager 3.1.0 (3a)
• Cisco Call Manager 3.2.0
• Cisco Call Manager 3.3.0
• Cisco Call Manager 3.3.0 (3)
• Cisco CiscoWorks VPN/Security Management Solution
• Cisco Collaboration Server 0.0.0
• Cisco Conference Connection
• Cisco Customer Response Application Server
• Cisco DOCSIS CPE Configurator
• Cisco Dynamic Content Adapter 0.0.0
• Cisco E-Mail Manager
• Cisco Emergency Responder 0.0.0
• Cisco IP Contact Center Express
• Cisco IP Telephony Environment Monitor 0.0.0
• Cisco IP/VC 3540 Application Server
• Cisco IP/VC 3540 Video Rate Matching Module
• Cisco Intelligent Contact Manager
• Cisco Internet Service Node
• Cisco Lan Management Solution 0.0.0
• Cisco Media Blender
• Cisco Network Registar 0.0.0
• Cisco Networking Services for Active Directory
• Cisco Personal Assistant 0.0.0
• Cisco QoS Policy Manager 0.0.0
• Cisco Routed Wan Management 0.0.0
• Cisco SN 5420 Storage Router 1.1.0 (2)
• Cisco SN 5420 Storage Router 1.1.0 (3)
• Cisco SN 5420 Storage Router 1.1.0 (4)
• Cisco SN 5420 Storage Router 1.1.0 (5)
• Cisco SN 5420 Storage Router 1.1.0 (7)
• Cisco SN 5420 Storage Router 1.1.3
• Cisco Secure ACS for Windows NT 2.1.0
• Cisco Secure ACS for Windows NT 2.3.0
• Cisco Secure ACS for Windows NT 2.4.0
• Cisco Secure ACS for Windows NT 2.5.0
• Cisco Secure ACS for Windows NT 2.6.0
• Cisco Secure ACS for Windows NT 2.6.2
• Cisco Secure ACS for Windows NT 2.6.3
• Cisco Secure ACS for Windows NT 2.6.4
• Cisco Secure ACS for Windows NT 3.0.0
• Cisco Secure ACS for Windows NT 3.0.0 .1
• Cisco Secure ACS for Windows NT 3.0.3
• Cisco Secure ACS for Windows NT 3.1.1
• Cisco Secure ACS for Windows Server 3.2.0
• Cisco Secure Access Control Server 3.2.1
• Cisco Secure Policy Manager 3.0.1
• Cisco Secure Scanner 0.0.0
• Cisco Service Management 0.0.0
• Cisco Small Network Management Solution 0.0.0
• Cisco Trailhead
• Cisco Transport Manager
• Cisco Unity Server
• Cisco Unity Server 2.0.0
• Cisco Unity Server 2.1.0
• Cisco Unity Server 2.2.0
• Cisco Unity Server 2.3.0
• Cisco Unity Server 2.4.0
• Cisco Unity Server 2.46.0
• Cisco Unity Server 3.0.0
• Cisco Unity Server 3.1.0
• Cisco Unity Server 3.2.0
• Cisco Unity Server 3.3.0
• Cisco Unity Server 4.0.0
• Cisco User Registration Tool 0.0.0
• Cisco VPN/Security Management Solution 0.0.0
• Cisco VoIP Phone 7902G
• Cisco VoIP Phone 7905G
• Cisco VoIP Phone 7912G
• Cisco Voice Manager
• Cisco uOne Enterprise Edition 0.0.0
• Compaq OpenVMS 6.2.0 Alpha
• Compaq OpenVMS 6.2.0 VAX
• Compaq OpenVMS 6.2.0-1H1 Alpha
• Compaq OpenVMS 6.2.0-1H2 Alpha
• Compaq OpenVMS 6.2.0-1H3 Alpha
• Compaq OpenVMS 7.1.0 Alpha
• Compaq OpenVMS 7.1.0 VAX
• Compaq OpenVMS 7.1.0-2 Alpha
• Compaq OpenVMS 7.2.0 Alpha
• Compaq OpenVMS 7.2.0 VAX
• Compaq OpenVMS 7.2.0-1H1 Alpha
• Compaq OpenVMS 7.2.0-1H2 Alpha
• Compaq OpenVMS 7.2.0-2 Alpha
• Compaq OpenVMS 7.2.1 Alpha
• Compaq OpenVMS 7.3.0 Alpha
• Compaq OpenVMS 7.3.0 VAX
• Compaq OpenVMS 7.3.0-1 Alpha
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Advanced Server SP1
• Microsoft Windows 2000 Advanced Server SP2
• Microsoft Windows 2000 Advanced Server SP3
• Microsoft Windows 2000 Advanced Server SP4
• Microsoft Windows 2000 Datacenter Server
• Microsoft Windows 2000 Datacenter Server SP1
• Microsoft Windows 2000 Datacenter Server SP2
• Microsoft Windows 2000 Datacenter Server SP3
• Microsoft Windows 2000 Datacenter Server SP4
• Microsoft Windows 2000 Professional
• Microsoft Windows 2000 Professional SP1
• Microsoft Windows 2000 Professional SP2
• Microsoft Windows 2000 Professional SP3
• Microsoft Windows 2000 Professional SP4
• Microsoft Windows 2000 Server
• Microsoft Windows 2000 Server SP1
• Microsoft Windows 2000 Server SP2
• Microsoft Windows 2000 Server SP3
• Microsoft Windows 2000 Server SP4
• Microsoft Windows NT Enterprise Server 4.0.0
• Microsoft Windows NT Enterprise Server 4.0.0 SP1
• Microsoft Windows NT Enterprise Server 4.0.0 SP2
• Microsoft Windows NT Enterprise Server 4.0.0 SP3
• Microsoft Windows NT Enterprise Server 4.0.0 SP4
• Microsoft Windows NT Enterprise Server 4.0.0 SP5
• Microsoft Windows NT Enterprise Server 4.0.0 SP6
• Microsoft Windows NT Enterprise Server 4.0.0 SP6a
• Microsoft Windows NT Server 4.0.0
• Microsoft Windows NT Server 4.0.0 SP1
• Microsoft Windows NT Server 4.0.0 SP2
• Microsoft Windows NT Server 4.0.0 SP3
• Microsoft Windows NT Server 4.0.0 SP4
• Microsoft Windows NT Server 4.0.0 SP5
• Microsoft Windows NT Server 4.0.0 SP6
• Microsoft Windows NT Server 4.0.0 SP6a
• Microsoft Windows NT Terminal Server 4.0.0
• Microsoft Windows NT Terminal Server 4.0.0 SP1
• Microsoft Windows NT Terminal Server 4.0.0 SP2
• Microsoft Windows NT Terminal Server 4.0.0 SP3
• Microsoft Windows NT Terminal Server 4.0.0 SP4
• Microsoft Windows NT Terminal Server 4.0.0 SP5
• Microsoft Windows NT Terminal Server 4.0.0 SP6
• Microsoft Windows NT Workstation 4.0.0
• Microsoft Windows NT Workstation 4.0.0 SP1
• Microsoft Windows NT Workstation 4.0.0 SP2
• Microsoft Windows NT Workstation 4.0.0 SP3
• Microsoft Windows NT Workstation 4.0.0 SP4
• Microsoft Windows NT Workstation 4.0.0 SP5
• Microsoft Windows NT Workstation 4.0.0 SP6
• Microsoft Windows NT Workstation 4.0.0 SP6a
• Microsoft Windows Server 2003 Datacenter Edition
• Microsoft Windows Server 2003 Datacenter Edition Itanium
• Microsoft Windows Server 2003 Enterprise Edition
• Microsoft Windows Server 2003 Enterprise Edition Itanium
• Microsoft Windows Server 2003 Standard Edition
• Microsoft Windows Server 2003 Web Edition
• Microsoft Windows XP 64-bit Edition
• Microsoft Windows XP 64-bit Edition SP1
• Microsoft Windows XP Home
• Microsoft Windows XP Home SP1
• Microsoft Windows XP Professional
• Microsoft Windows XP Professional SP1

References:

• eEye Digital Security: Blaster Worm Analysis
• CERT/CC: CERT Advisory CA-2003-16 Buffer Overflow in Microsoft RPC
• CERT: CERT Advisory CA-2003-20 W32/Blaster worm
• CERT: CERT® Advisory CA-2003-19 Exploitation of Vulnerabilities in Microsoft RPC Inter
• Cisco: Cisco Security Notice: Nachi Worm Mitigation Recommendations
• Cisco: Cisco Security Notice: W32.BLASTER Worm Mitigation Recommendations
• Microsoft: MS03-026 Scanning Tool
• CORE Security: MSRPC DCOM exploit
• Microsoft: Microsoft Security Bulletin MS03-026
• Microsoft: PSS Security Response Team Alert - New Worm: W32.Blaster.worm
• eEye Digital Security: Retina RPC DCOM Vulnerability Scanner
• CERT/CC: Vulnerability Note VU#377804