Arbitrary Code Execution and Denial of Service in Microsoft RPCSS

Reported September 10, 2003, by Microsoft.

VERSIONS AFFECTED

·        Windows Server 2003, Windows XP, Windows 2000, Windows NT Server 4.0 Terminal Server Edition, Windows NT 4.0

DESCRIPTION

Three new vulnerabilities exist in the part of Remote Procedure Call Subsystem (RPCSS) Service that deals with remote procedure call (RPC) messages for Distributed COM (DCOM) activation. Two of these vulnerabilities could allow arbitrary code execution on the vulnerable system. The third vulnerability could result in a Denial of Service (DoS) condition. The flaws result from incorrect handling of malformed messages. These vulnerabilities affect the DCOM interface within the RPCSS Service. By using these flaws, an attacker could take any action on a vulnerable system, including installing programs; viewing, changing, or deleting data; and creating new accounts with full privileges.

VENDOR RESPONSE

Microsoft has released security bulletin MS03-039, "Buffer Overrun In RPCSS Service Could Allow Code Execution (824146)," which addresses these vulnerabilities, and recommends that affected users immediately apply the appropriate patch listed in the bulletin. This patch supercedes the patch listed in Microsoft Security BulletinMS03-026.

CREDIT

Discovered byeEye Digital Security,NSFOCUS Security Team, and Xue Yong Zhi and Renaud Deraison fromTenable Network Security.