RPC Security Round 2: Cleaning Up After the Latest RPC Vulnerability

The MSBlaster (LoveSan) saga prompted a thorough analysis of Microsoft's implementation of remote procedure call (RPC) processing. During the analysis, several security firms uncovered three additional, and potentially nasty, vulnerabilities in how the RPC service processes malformed RPC requests. If you didn't read Microsoft Security Bulletin MS03-039 (Buffer Overrun In RPCSS Service Could Allow Code Execution) last week, the bad news is that you're in for another frantic round of workstation and server patching that's as big in scope as the MSBlaster fix you distributed a few weeks ago. The newly acknowledged security holes affect the RPC implementation on all currently supported Windows platforms, including Windows Server 2003, Windows XP, Windows 2000, and Windows NT. In the best case, a successful exploit of one vulnerability can cause a Denial of Service (DoS) attack on Win2K systems; in the worst case, the loopholes let a malicious user assume complete control over a system. According to the bulletin, a successful attacker could "run code with Local System privileges on an affected system, or could cause the RPCSS Service to fail. The attacker could then be able to take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges."

To eliminate the original MSBlaster worm hole and the three newly discovered vulnerabilities, Microsoft released a security update documented in Microsoft article "MS03-039: A Buffer Overrun in RPCSS Could Allow an Attacker to Run Malicious Programs" (http://support.microsoft.com/?kbid=824146) on September 10. This new hotfix replaces and supersedes the original RPC worm fix 823980 documented in Security Bulletin MS03-026 (Buffer Overrun In RPC Interface Could Allow Code Execution). To ensure your systems aren't a target for an even nastier variant of the original worm, you must install the new security update on all Windows 2003, XP, Win2K, and NT systems. Here's a summary of the hotfix files you need for each platform:
·Windows 2003—The file WindowsServer2003-KB824146-x86-ENU.exe (http://www.microsoft.com/downloads/details.aspx?familyid=51184d09-4f7e-4f7b-87a4-c208e9ba4787&displaylang=en) updates all 32-bit versions of Windows 2003. Use WindowsServer2003-KB824146-ia64-ENU.exe (http://www.microsoft.com/downloads/details.aspx?familyid=80ab25b3-e387-441f-9b6d-84106f66059b&displaylang=en) to update 64-bit Windows 2003, Enterprise Edition and Windows 2003, Datacenter Edition systems. (Note: This file is the same file you use to update XP 64-bit 2003 systems.)
·XP—The file WindowsXP-KB824146-x86-ENU.exe (http://www.microsoft.com/downloads/details.aspx?amp;languageid=f49e8428-7071-4979-8a67-3cffcb0c2524&familyid=5fa055ae-a1ba-4d4a-b424-95d32cfc8cba&displaylang=en) updates XP Professional Edition, XP Home Edition, XP Tablet PC Edition, and XP Media Center Edition (MCE). To update XP 64-bit 2002, download WindowsXP-KB824146-ia64-ENU.exe (http://www.microsoft.com/downloads/details.aspx?familyid=50e4fb51-4e15-4a34-9dc3-7053ec206d65&displaylang=en). Use WindowsServer2003-KB824146-ia64-ENU.exe (http://www.microsoft.com/downloads/details.aspx?familyid=80ab25b3-e387-441f-9b6d-84106f66059b&displaylang=en) to update XP 64-bit 2003.
·Win2K—The file Windows2000-KB824146-x86-ENU.exe (http://www.microsoft.com/downloads/details.aspx?familyid=f4f66d56-e7ce-44c3-8b94-817ea8485dd1&languageid=f49e8428-7071-4979-8a67-3cffcb0c2524&displaylang=en) updates Win2K Professional, Win2K Server, Win2K Advanced Server, and Win2K Datacenter Server running any version of Win2K up to and including Service Pack 4 (SP4).
·NT—The RPC hotfix is specific to the type of OS, so you might need to download as many as three different versions—one for NT workstation (http://www.microsoft.com/downloads/details.aspx?familyid=7eabad74-9ca9-48f4-8db5-cf8c188879da&displaylang=en), one for NT Server (http://www.microsoft.com/downloads/details.aspx?familyid=71b6135c-f957-4702-b376-2dacce773dc0&displaylang=en), and one for NT Server 4.0, Terminal Server Edition (WTS—http://www.microsoft.com/downloads/details.aspx?familyid=677229f8-fbbf-4ff4-a2e9-506d17bb883f&displaylang=en).

If you don't have third-party patch analysis and management software, you can use two different utilities to identify systems that you need to update. The Microsoft Baseline Security Analyzer (MBSA) can scan one, several, or all systems in a subnet or domain for missing security hotfixes. The upside is that MBSA produces one report for all systems and all missing hotfixes; the downside is that you'll need to dig through the report manually to create a list of systems that need the RPC-specific update. The KB 824146 Scanner tool, which you can download from http://www.microsoft.com/downloads/details.aspx?familyid=13ae421b-7bab-41a2-843b-fad838fe472e&displaylang=en (download file name DCOM-KB827363-X86-ENU.exe), is an updated version of the scanner Microsoft released to locate systems that needed the original MSBlaster security fix. The updated version scans systems and lists the status of the original KB823980 fix plus the just-released KB824146 hotfix. The scanning tool is command-line driven so that you can define the system or systems to scan by using the NetBIOS name, TCP/IP Fully Qualified Domain Name (FQDN), or TCP/IP address; direct the output to a disk file; and request a verbose log of the scanning results. Microsoft's documentation incorrectly states that the scanning tool also installs the KB 824146 security hotfix. When I tested the scanner, it did correctly identify the status of both RPC hotfixes on my systems but didn't install any missing updates. The Microsoft article "How to Use the KB 824146 Scanning Tool to Identify Host Computers That Do Not Have the 823980 (MS03-026) and the 824146 (MS03-039) Security Patches Installed" (http://support.microsoft.com/?kbid=827363) documents the utility and provides tips about how to interpret the results.

Microsoft has a template VBScript, patchinstall.vbs, that you can use to distribute the hotfix to systems that are members of a Windows 2003, Win2K, or NT domain. The script updates Windows 2003, XP, and Win2K systems, but not NT systems. (If you need to distribute the hotfix to NT systems, you'll need to add code that recognizes the NT OS and type—i.e., NT Workstation 4.0, NT Server 4.0, and WTS—and downloads the hotfix specific to each.) The script accepts two arguments: an input file that contains the TCP/IP address of each system that needs updating and a path to the local directory that contains hotfix files for Windows 2000, XP, and Win2K. According to the documentation, the script requires that you rename each hotfix so that it identifies the platform it updates; rename the Windows 2003 version to Patch_W2k3.exe, the XP version to Patch_XP.exe, and the Win2K version to Patch_W2k.exe. The script uses the KB824146scan.exe output file as input, so in theory, you run the scanning tool, save the output file, and use it as input to patchinstall.vbs. When you run the script, it connects to each system in the input file, determines the OS type, copies the hotfix to a file at the root of the local system disk (e.g., C:patchinstall.exe), installs the hotfix in quiet mode, reboots the machine, and attempts to delete the hotfix after the system restarts. I didn't have time to test the script across multiple platforms, so I encourage you to verify that the script installs the correct hotfix for the 64-bit versions of Windows 2003 and XP. The Microsoft article "How to Use a Visual Basic Script to Install the 824146 (MS03-039) or 823980 (MS03-026) Security Patch on Remote Host Computers" (http://support.microsoft.com/?kbid=827227) contains the template script file and documentation about how the script operates.