-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NSFOCUS Security Advisory(SA2003-06)

Topic: Microsoft Windows RPC DCOM Interface Heap Overflow Vulnerability

Release Date: 2003-09-11

CVE CAN ID: CAN-2003-0528

http://www.nsfocus.com/english/homepage/research/0306.htm

Affected system:
===================
- - Microsoft Windows NT
- - Microsoft Windows XP
- - Microsoft Windows 2000
- - Microsoft Windows 2003

Unaffected system:
======================
- - Microsoft Windows 98

Summary:
=========

NSFOCUS Security Team has found a remote exploitable buffer overflow 
vulnerability in the RPC DCOM interface of Microsoft Windows system. 
By exploiting the vulnerability remote attackers could gain local 
system privilege.

Description:
============

Remote Procedure Call (RPC) is a protocol used by the Windows operating 
system. RPC provides an inter-process communication mechanism that allows a
program running on one computer to seamlessly execute code on a remote system.
The protocol itself is derived from the Open Software Foundation (OSF) RPC
protocol, but with the addition of some Microsoft specific extensions.

There is a buffer overflow vulnerability in Windows RPC Distributed Component
Object Model (DCOM) interface handling. Windows DCOM implementation doesn't
carry out any length check when handling a filename parameter. By passing an 
over-large parameter (several hundred bytes) attackers can cause a heap 
overflow and crash the RpcSS service. The carefully crafted data then can run 
arbitrary code on the system with Local System privilege. Attackers could take 
any action on the system, including installing programs, obtaining or deleting
data, or creating new accounts with total privilege.

This vulnerability can be exploited on 135(TCP/UDP), 139, 445, 593 and
other ports.

Note: This vulnerability is not the same one as described in MS03-026. The
patch provided by MS03-026 (Q823980) can not fix the vulnerability.

Workaround:
=============

* Block at least the following ports at firewall:

    135/UDP
    137/UDP
    138/UDP
    445/UDP

    135/TCP
    139/TCP
    445/TCP
    593/TCP

 Disable COM Internet Services (CIS) and RPC over HTTP.

* If you can not block the above ports for some reasons, you can temporarily
  disable DCOM:

      Open "Control Panel"-->"Management Tools"-->"Component Services"
      Click on the "Component Services"-->"Computers"-->"My Computer" on the
      "Console Root", right click "My Computer" to choose the "Properties"

      Choose the "Default Properties " tab, clear "Enable Distributed COM on 
      this Computer" check box. 

      Click OK and exit "Component Services".

      Note: Disabling DCOM might cause some applications to fail and system
      abnormality. Some important system services might fail to start. 
      Therefore NSFOCUS doesn't recommend such a method. You can block ports 
      at firewall as mentioned above to ensure the system security.

Vendor Status:
==============

2003.07.29   Informed the vendor
2003.07.30   Vendor confirmed the vulnerability
2003.09.10   Microsoft has issued a Security Bulletin(MS03-039) and the 
             related patch.

Detailed Microsoft Security Bulletin is available at:

http://www.microsoft.com/technet/security/bulletin/ms03-039.asp


Additional Information:
========================

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2003-0528 to this issue. This is a candidate for inclusion in the
CVE list (http://cve.mitre.org), which standardizes names for security
problems. Candidates may change significantly before they become official
CVE entries.

Acknowledgment
===============

Yuan Renguang of NSFOCUS Security Team found the vulnerability.

DISCLAIMS:
==========
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.

Copyright 1999-2003 NSFOCUS. All Rights Reserved. Terms of use.


NSFOCUS Security Team <security@nsfocus.com>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)

PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc
Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 F6DA
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/X9UE1794d8am9toRAg85AKCHlLlJeNblV1Ql5PZHDE9wMjJfWwCcC8vC
jlMuxCKpk8woaPiioqMVhLI=
=WNJM
-----END PGP SIGNATURE-----