Public exploits available
On this page
Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter.
An attacker could seek to exploit these vulnerabilities by creating a program that could communicate with a vulnerable server over an affected TCP/UDP port to send a specific kind of malformed RPC message. Receipt of such a message could cause the RPCSS service on the vulnerable system to fail in such a way that it could execute arbitrary code.
It could also be possible to access the affected component through another vector, such as one that would involve logging onto the system interactively or by using another application that passed parameters to the vulnerable component-- locally or remotely.
Technical details (analysis)
An attacker who successfully exploited the buffer overrun vulnerabilities could be able to run code with Local System privileges on an affected system. The attacker could be able to take any action on the system, including installing programs, viewing changing or deleting data, or creating new accounts with full privileges. An attacker who successfully exploited the denial of service vulnerability could cause the RPCSS Service to hang and become unresponsive.
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Server 4.0
Microsoft Windows NT Server 4.0, Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Millennium Edition
Release Date: 2003-09-10T00:00:00
Known false positives
No known false positives at this time.
Block UDP ports 135, 137, 138, 445 and TCP ports 135, 139, 445, 593 at your firewall and disable COM Internet Services (CIS) and RPC over HTTP, which listen on ports 80 and 443, on the affected systems.
Use a personal firewall such as Internet Connection Firewall (only available on XP and Windows Server 2003) and disable COM Internet Services (CIS)and RPC over HTTP, which listen on ports 80 and 443, on the affected machines, especially any machines that connect to a corporate network remotely using a VPN or similar.
Block the affected ports using an IPSEC filter and disable COM Internet Services (CIS) and RPC over HTTP, which listen on ports 80 and 443, on the affected machines.
Disable DCOM on all affected machines