-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                        National Cyber Alert System

                  Technical Cyber Security Alert TA07-103A


Microsoft Windows DNS RPC Buffer Overflow

   Original release date: April 13, 2007
   Last revised: --
   Source: US-CERT


Systems Affected

     * Microsoft Windows 2003 Server
     * Microsoft Windows 2000 Server


Overview

   A buffer overflow in the the Remote Procedure Call (RPC) management
   interface used by the Microsoft Windows Domain Name Service (DNS)
   service is actively being exploited. This vulnerability may allow a
   remote attacker to execute arbitrary code with SYSTEM privileges.


I. Description

   The Microsoft Windows DNS service RPC management interface contains
   a stack-based buffer overflow. This vulnerability can be triggered
   by sending a specially crafted RPC packet to the RPC management
   interface. The management interface typically operates on a
   dynamically-assigned port between 1024/tcp and 5000/tcp.

   Note that this vulnerability cannot be exploited via the DNS name
   resolution service (53/udp).

   More information on this vulnerability is available in
   Vulnerability Note VU#555920 and Microsoft Security Advisory
   (935964).

   This vulnerability is actively being exploited.


II. Impact

   A remote attacker may be able to execute arbitrary code with SYSTEM
   privileges or cause a denial-of-service condition.


III. Solution

   We are unaware of a complete solution to this vulnerability. Until a
   fix is available, there are workarounds that may reduce the chances of
   exploitation. It is important to understand your network's
   configuration and service requirements before deciding what changes
   are appropriate. For instance, disabling the RPC interface of the DNS
   service may prevent administrators from being able to remotely manage
   a Microsoft Windows DNS server. Consider this when implementing the
   following workarounds:

  
   *Disable the RPC interface used by the Microsoft Windows DNS service*

   This workaround will configure the DNS management service to to
   function only via Local Procedure Call (LPC). This prevents
   exploitation of the vulnerability, however it also disables remote
   management via RPC, which is used by the Microsoft Management Console
   (MMC) DNS snap-in.

   According to Microsoft Security Advisory (935964), the RPC remote
   management can be disabled by taking the following steps:

    1. On the start menu click 'Run' and then type 'Regedit' and then
       press enter.

    2. Navigate to the following registry location:
       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters.

    3. On the 'Edit' menu select 'New' and then click 'DWORD Value'.

    4. Where 'New Value #1' is highlighted type 'RpcProtocol' for the
       name of the value and then press enter.

    5. Double click on the newly created value and change the value's
       data to 4.

   Alternatively, the following text can be saved as a .REG file and
   imported:

     Windows Registry Editor Version 5.00

     [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters]

     "RpcProtocol"=dword:00000004

   Restart the DNS service for the change to take effect.

   More information on regedit.exe is available in Microsoft Knowledge
   Base Article 82821.

  
   *Block or Restrict access to RPC services*

   This workaround will restrict TCP/IP access to all RPC interfaces,
   including the vulnerable DNS management RPC interface. This workaround
   will not prevent exploitation of the vulnerability, but will limit the
   possible sources of attacks. This workaround will allow remote
   management using the RPC interface (MMC DNS Snap-in) from selected
   networks.

   Block access to the RPC Endpoint Mapper service (135/tcp) at your
   network perimeters. Note that blocking RPC at the network perimeter
   would still allow attackers within the perimeter to exploit this
   vulnerability.

   By default, the RPC Endpoint Mapper service assigns RPC ports between
   1024/tcp and 5000/tcp. All unsolicited traffic on these ports should
   also be blocked.


IV. References

     * Vulnerability Note VU#555920 -
       <http://www.kb.cert.org/vuls/id/555920>

     * Microsoft Security Advisory (935964) -
       <http://www.microsoft.com/technet/security/advisory/935964.mspx>

     * Registration Info Editor (REGEDIT) Command-Line Switches -
       <http://support.microsoft.com/kb/82821>


 ____________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA07-103A.html>
 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@cert.org> with "TA07-103A Feedback VU#555920" in the
   subject.
 ____________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 ___________________________________________________________________

   Produced 2007 by US-CERT, a government organization. 

   Terms of use:

   <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________

   Revision History

     April 13, 2007: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRh/CIexOF3G+ig+rAQL5IQf/dh4srynjfyIpdpsZiBGpObV7C3Dauou2
fMVL2zjUgnkKxndldAxhgLMSrgjtlRaxVg4rH4yOqZ34fVpXuJul0zPwiiaaiEi4
C/YyEIAllmm/tZ5jyHUHxQZtmHwpKcbTH4XCFE2FbjVXcvl882Jg+6MJ7IpZy2Zw
qrWXwJOoZnjgEHmDhpToBv28MU3jDIKq6luMH9+LQMeU/N1Eb5UgRGddCtY51O/V
ZW9XX47oS0NMQ8yz3CQdujWz1kkx/J4gwI2QNjH3oeDgy+Ai8YHZnrbFAQY5xqmx
/gJ/+/fNKOwK2/2V4QIE7x1KVaGqfrHhGksXtbwehXbTJbO38PzeGw==
=egXN
-----END PGP SIGNATURE-----