what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Technical Cyber Security Alert 2007-103A

Technical Cyber Security Alert 2007-103A
Posted Apr 17, 2007
Authored by US-CERT | Site us-cert.gov

Technical Cyber Security Alert TA07-103A - A buffer overflow in the the Remote Procedure Call (RPC) management interface used by the Microsoft Windows Domain Name Service (DNS) service is actively being exploited. This vulnerability may allow a remote attacker to execute arbitrary code with SYSTEM privileges.

tags | advisory, remote, overflow, arbitrary
systems | windows
SHA-256 | d2859d68d4c262fbd5b36580b848066e0110d1dde3ed78789494106b76010fda

Technical Cyber Security Alert 2007-103A

Change Mirror Download

Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA07-103A

Microsoft Windows DNS RPC Buffer Overflow

Original release date: April 13, 2007
Last revised: --
Source: US-CERT

Systems Affected

* Microsoft Windows 2003 Server
* Microsoft Windows 2000 Server


A buffer overflow in the the Remote Procedure Call (RPC) management
interface used by the Microsoft Windows Domain Name Service (DNS)
service is actively being exploited. This vulnerability may allow a
remote attacker to execute arbitrary code with SYSTEM privileges.

I. Description

The Microsoft Windows DNS service RPC management interface contains
a stack-based buffer overflow. This vulnerability can be triggered
by sending a specially crafted RPC packet to the RPC management
interface. The management interface typically operates on a
dynamically-assigned port between 1024/tcp and 5000/tcp.

Note that this vulnerability cannot be exploited via the DNS name
resolution service (53/udp).

More information on this vulnerability is available in
Vulnerability Note VU#555920 and Microsoft Security Advisory

This vulnerability is actively being exploited.

II. Impact

A remote attacker may be able to execute arbitrary code with SYSTEM
privileges or cause a denial-of-service condition.

III. Solution

We are unaware of a complete solution to this vulnerability. Until a
fix is available, there are workarounds that may reduce the chances of
exploitation. It is important to understand your network's
configuration and service requirements before deciding what changes
are appropriate. For instance, disabling the RPC interface of the DNS
service may prevent administrators from being able to remotely manage
a Microsoft Windows DNS server. Consider this when implementing the
following workarounds:

*Disable the RPC interface used by the Microsoft Windows DNS service*

This workaround will configure the DNS management service to to
function only via Local Procedure Call (LPC). This prevents
exploitation of the vulnerability, however it also disables remote
management via RPC, which is used by the Microsoft Management Console
(MMC) DNS snap-in.

According to Microsoft Security Advisory (935964), the RPC remote
management can be disabled by taking the following steps:

1. On the start menu click 'Run' and then type 'Regedit' and then
press enter.

2. Navigate to the following registry location:

3. On the 'Edit' menu select 'New' and then click 'DWORD Value'.

4. Where 'New Value #1' is highlighted type 'RpcProtocol' for the
name of the value and then press enter.

5. Double click on the newly created value and change the value's
data to 4.

Alternatively, the following text can be saved as a .REG file and

Windows Registry Editor Version 5.00



Restart the DNS service for the change to take effect.

More information on regedit.exe is available in Microsoft Knowledge
Base Article 82821.

*Block or Restrict access to RPC services*

This workaround will restrict TCP/IP access to all RPC interfaces,
including the vulnerable DNS management RPC interface. This workaround
will not prevent exploitation of the vulnerability, but will limit the
possible sources of attacks. This workaround will allow remote
management using the RPC interface (MMC DNS Snap-in) from selected

Block access to the RPC Endpoint Mapper service (135/tcp) at your
network perimeters. Note that blocking RPC at the network perimeter
would still allow attackers within the perimeter to exploit this

By default, the RPC Endpoint Mapper service assigns RPC ports between
1024/tcp and 5000/tcp. All unsolicited traffic on these ports should
also be blocked.

IV. References

* Vulnerability Note VU#555920 -

* Microsoft Security Advisory (935964) -

* Registration Info Editor (REGEDIT) Command-Line Switches -


The most recent version of this document can be found at:


Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA07-103A Feedback VU#555920" in the

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.

Produced 2007 by US-CERT, a government organization.

Terms of use:


Revision History

April 13, 2007: Initial release

Version: GnuPG v1.2.1 (GNU/Linux)

Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By