-
July 22nd, 2003, 07:51 PM
#1
Registered User
Time to patch your Windows boxes
http://www.microsoft.com/technet/tre...n/MS03-026.asp
..supposed to be a pretty big vulnerability...
Microsoft Security Bulletin MS03-026 Print
Buffer Overrun In RPC Interface Could Allow Code Execution (823980)
Originally posted: July 16, 2003
Revised: July 21, 2003
Summary
Who should read this bulletin: Users running Microsoft ® Windows ®
Impact of vulnerability: Run code of attacker’s choice
Maximum Severity Rating: Critical
Recommendation: Systems administrators should apply the patch immediately
End User Bulletin: An end user version of this bulletin is available at:
http://www.microsoft.com/security/se.../ms03-026.asp.
Affected Software:
Microsoft Windows NT® 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server™ 2003
Not Affected Software:
Microsoft Windows Millennium Edition
Technical details
Technical description:
Microsoft originally released this bulletin and patch on July 16, 2003 to correct a security vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface. The patch was and still is effective in eliminating the security vulnerability. However, the “mitigating factors” and “workarounds” discussions in the original security bulletin did not clearly identify all of the ports by which the vulnerability could potentially be exploited. We have updated this bulletin to more clearly enumerate the ports over which RPC services can be invoked, and to ensure that customers who have chosen to implement a workaround before installing the patch have the information that they need to protect their systems. Customers who have already installed the patch are protected from attempts to exploit this vulnerability, and need take no further action.
Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions.
There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on RPC enabled ports. This interface handles DCOM object activation requests that are sent by client machines to the server. An attacker who successfully exploited this vulnerability would be able to run code with Local System privileges on an affected system. The attacker would be able to take any action on the system, including installing programs, viewing changing or deleting data, or creating new accounts with full privileges.
To exploit this vulnerability, an attacker would need to send a specially formed request to the remote computer on specific RPC ports.
Mitigating factors:
To exploit this vulnerability, the attacker would require the ability to send a specially crafted request to port 135, 139, or 445 or any other specifically configured RPC port on the remote machine. For intranet environments, these ports would normally be accessible, but for Internet connected machines, these would normally be blocked by a firewall. In the case where these ports are not blocked, or in an intranet configuration, the attacker would not require any additional privileges.
Best practices recommend blocking all TCP/IP ports that are not actually being used, and most firewalls including the Windows Internet Connection Firewall (ICF) block those ports by default. For this reason, most machines attached to the Internet should have RPC over TCP or UDP blocked. RPC over UDP or TCP is not intended to be used in hostile environments such as the Internet. More robust protocols such as RPC over HTTP are provided for hostile environments.
To learn more about securing RPC for client and server please refer to http://msdn.microsoft.com/library/de...or_server.asp.
To learn more about the ports used by RPC, please refer to: http://www.microsoft.com/technet/pro...t4/tcpappc.asp
Severity Rating: Windows NT 4.0 Critical
Windows NT 4.0 Terminal Server Edition Critical
Windows 2000 Critical
Windows XP Critical
Windows Server 2003 Critical
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2003-0352
Tested Versions:
Microsoft tested Windows Me, Windows NT 4.0, Windows NT 4.0 Terminal Services Edition, Windows 2000, Windows XP and Windows Server 2003, to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by this vulnerability.
Deliver me from Swedish furniture!
-
August 16th, 2003, 08:55 PM
#2
Chat Operator
Silencio... I just wanted to thank you for yer advanced warning on this patch...
1 month later, it's taking advantage of in a major way.
Thank god for windrivers!
Looking back, i saw that i'd applied this patch around the same time as this original post.
<Ferrit> Take 1 live chicken, cut the head off, dance around doing the hokey pokey and chanting: GO AWAY BAD VIRUS, GO AWAY BAD VIRUS
-----------------------
Windows 7 Pro x64
Asus P5QL Deluxe
Intel Q6600
nVidia 8800 GTS 320
6 gigs of Ram
2x60 gig OCZ Vertex SSD (raid 0)
WD Black 750 gig
Antec Tri power 750 Watt PSU
Lots of fans
-
August 18th, 2003, 11:58 AM
#3
Registered User
Maybe the person who wrote the worm got the idea from the Microsoft security bulletin!
After all, not many people are as cautious as Silencio and Matridon, as we've just found out!
There's no panic like the panic you momentarily feel when you've got
your hand or head stuck in something
-
August 20th, 2003, 11:14 AM
#4
Registered User
That's the security hole that the blaster virus uses... kinda old news now but yeah everyone should patch it as soon as possible. As far as I know it's only XP so those with OS's older than XP shouldn't have to worry, but you might want to check it out anyway...
-
August 20th, 2003, 11:38 AM
#5
Chat Operator
i was trying to point out that this posting was 1 month old, and everyone is complaining that they where caught unprepared.
<Ferrit> Take 1 live chicken, cut the head off, dance around doing the hokey pokey and chanting: GO AWAY BAD VIRUS, GO AWAY BAD VIRUS
-----------------------
Windows 7 Pro x64
Asus P5QL Deluxe
Intel Q6600
nVidia 8800 GTS 320
6 gigs of Ram
2x60 gig OCZ Vertex SSD (raid 0)
WD Black 750 gig
Antec Tri power 750 Watt PSU
Lots of fans
-
August 20th, 2003, 11:44 AM
#6
Driver Terrier
Originally posted by MegaHurtz
As far as I know it's only XP so those with OS's older than XP shouldn't have to worry,
Seems you need to update your knowledge somewhat.... or at least read the article...
Affected Software:
Microsoft Windows NT® 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server™ 2003
Never, ever approach a computer saying or even thinking "I will just do this quickly."
-
August 20th, 2003, 02:01 PM
#7
Registered User
You are all very welcome
Deliver me from Swedish furniture!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Bookmarks