Here we go again. All Windows versions (NT4,W2k,W2k3) in standard install are affected. No IIS or other packages needed. Bug is in basic Windows functionality and fully remotely exploitable.
I recommend everybody to inform their [housing] customers immediatly to install the hotfix right now. This bug has the potential to make code red, nimda and sql-slammer look like dwarfs in comparison if a worm is being launched using this exploit. -- Andre
--- Begin Message ---http://www.microsoft.com/technet/security/bulletin/MS03-026.asp Buffer Overrun In RPC Interface Could Allow Code Execution (823980) Originally posted: July 16, 2003 Summary Who should read this bulletin: Users running Microsoft � Windows � Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Recommendation: Systems administrators should apply the patch immediately End User Bulletin: An end user version of this bulletin is available at: http://www.microsoft.com/security/security_bulletins/ms03-026.asp. Affected Software: - Microsoft Windows NT� 4.0 - Microsoft Windows NT 4.0 Terminal Services Edition - Microsoft Windows 2000 - Microsoft Windows XP - Microsoft Windows Server(tm) 2003 Not Affected Software: - Microsoft Windows Millennium Edition</ul Technical description: Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions. There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on TCP/IP port 135. This interface handles DCOM object activation requests that are sent by client machines (such as Universal Naming Convention (UNC) paths) to the server. An attacker who successfully exploited this vulnerability would be able to run code with Local System privileges on an affected system. The attacker would be able to take any action on the system, including installing programs, viewing changing or deleting data, or creating new accounts with full privileges. To exploit this vulnerability, an attacker would need to send a specially formed request to the remote computer on port 135. Mitigating factors: - To exploit this vulnerability, the attacker would require the ability to send a specially crafted request to port 135 on the remote machine. For intranet environments, this port would normally be accessible, but for Internet connected machines, the port 135 would normally be blocked by a firewall. In the case where this port is not blocked, or in an intranet configuration, the attacker would not require any additional privileges. - Best practices recommend blocking all TCP/IP ports that are not actually being used. For this reason, most machines attached to the Internet should have port 135 blocked. RPC over TCP is not intended to be used in hostile environments such as the Internet. More robust protocols such as RPC over HTTP are provided for hostile environments. To learn more about securing RPC for client and server please refer to http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/writing_a_secure_rpc_client_or_server.asp. To learn more about the ports used by RPC, please refer to: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/tcpip/part4/tcpappc.asp Vulnerability identifier: CAN-2003-0352 This email is sent to NTBugtraq automatically as a service to my subscribers. (v1.18) Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER! With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. And now, for a limited time, you can save 33% off of the TICSA certification exam! To learn more about the TICSA certification, and to register as a TICSA candidate online, just go to http://www.trusecure.com/offer/s0100/ oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
--- End Message ---
