Follow:

Vulnerability:Win/RPCSS.DCOM.DoS!CAN-2003-0605

Severity rating
Important

Class/Type
Vulnerability

Discovered date
2003-09-10T00:00:00

Attack vector
Remote

Authentication required
No

Public exploits available
No

Signature detection
Medium



On this page




Description

An attacker who successfully exploited the denial of service vulnerability could cause the RPC Service to hang and become unresponsive. To carry out such an attack, an attacker would need to be able to send a malformed message to the RPCSS service and thereby cause the target system to fail in such a way that arbitrary code could be executed.



Impact

An attacker who successfully exploited the buffer overrun vulnerabilities could be able to run code with Local System privileges on an affected system. The attacker could be able to take any action on the system, including installing programs, viewing changing or deleting data, or creating new accounts with full privileges. An attacker who successfully exploited the denial of service vulnerability could cause the RPCSS Service to hang and become unresponsive



Technical details (analysis)

The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function.



Affected software

Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Server® 4.0
Microsoft Windows NT Server 4.0, Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003



Non-affected software

Microsoft Windows Millennium Edition



References




Solutions




NIS signature

Name: Vulnerability:Win/RPCSS.DCOM.DoS!CAN-2003-0605
Release Date: 2003-09-10T00:00:00



Known false positives

No known false positives at this time.



Work-arounds

Block UDP ports 135, 137, 138, 445 and TCP ports 135, 139, 445, 593 at your firewall and disable COM Internet Services (CIS) and RPC over HTTP, which listen on ports 80 and 443, on the affected systems.
Use a personal firewall such as Internet Connection Firewall (only available on XP and Windows Server 2003) and disable COM Internet Services (CIS)and RPC over HTTP, which listen on ports 80 and 443, on the affected machines, especially any machines that connect to a corporate network remotely using a VPN or similar.
Use a personal firewall such as Internet Connection Firewall (only available on XP and Windows Server 2003) and disable COM Internet Services (CIS)and RPC over HTTP, which listen on ports 80 and 443, on the affected machines, especially any machines that connect to a corporate network remotely using a VPN or similar.
Disable DCOM on all affected machines