Buffer overflow in the RPC interface may allow execution code (823980) initial release date: July 21, 2003
This page:
Abstract Detailed technical information FAQ answers Additional information about this patch
Summary
Target readers of this announcement: Users running Microsoft Windows. The impact of vulnerabilities: the code that runs the attacker's chosen, the highest level: serious recommendation: System administrator should apply this hotfix immediately. Affected software:
Microsoft Windows NT 4.0 Microsoft Windows NT 4.0 Terminal Services Edition Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003
Detailed technical information
Technical Description:
Remote Process Call (RPC) is an agreement used by the Windows operating system. RPC provides a process-related communication mechanism that passes the program running on a computer through this mechanism. The code on a remote system can be smoothly executed. The agreement itself is derived from OSF (Open Software Basis) RPC protocol, but only adds some Microsoft specific extensions.
There is a vulnerability in the RPC to handle messages exchanged through TCP / IP. This problem is caused by a message incorrectly handled in the format. This particular vulnerability affects an interface between the distributed component object model (DCOM) and the RPC, which listens for TCP / IP port 135. This interface processes the client computer to activate the request (for example, a Universal Naming (UNC) path) to the server.
To take advantage of this vulnerability, an attacker may need to send a special format request to 135 ports on a remote computer.
Mitigate the factors of the impact:
To take advantage of this vulnerability, an attacker may need to have the ability to send a well-compiled request to 135 ports on the remote computer. For intranet environments, this port is usually accessible; however, for a computer connected to the Internet, the firewall usually blocks 135 ports. If there is no blockage, or in the intranet environment, the attacker does not need any other privileges. The best practice is to block all TCP / IP ports that are actually unused. Therefore, most computers connected to the Internet should block 135 ports. RPC over TCP is not suitable for use in a dangerous environment in Internet. A more solid protocol like RPC over HTTP applies to a potentially dangerous environment. To learn more about the RPC for clients and servers, visit http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/writing_a_secure_rpc_client_or_server.asp. To learn more about the ports of RPC, please visit: http://www.microsoft.com/technet/prodtechnol/windows2000serve/reskit/tcpip/part4/tcpappc.asp
Severe level:
Windows NT 4.0: Server Edition: Server WINDIS 2000: Serious Windows XP: Serious Windows Server 2003: Serious
The above assessment is based on system types, typical deployment patterns, and the impact of vulnerabilities on them.
Vulnerability Identifier: CAN-2003-0352
Testing versions: Microsoft tests Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 to assess whether they are affected by these vulnerabilities. The previous version is no longer supported, and they may not be affected by these vulnerabilities. Frequently Asked Questions
Q: How big is the range of this vulnerability? A: This is a buffer overflow vulnerability. An attacker who successfully utilized this vulnerability is likely to obtain full control of the remote computer. This may enable attackers to perform operations free of charge, including changing web pages, reformating hard drives or add new users to the local administrator group.
To launch such an attack, an attacker needs to send a message to the RPC service, resulting in a target computer to be subject to people, an attacker can perform any code on it.
The best way to prevent remote RPC attacks from Internet is to configure the firewall to block 135 port. RPC over TCP is not suitable for use in a dangerous environment in Internet.
Q: What is the problem caused by this vulnerability? A: This vulnerability is caused by the Windows RPC service in some cases that cannot be checked correctly. If an attacker sends a certain type of format incorrect RPC message after the RPC is established, it will cause problems with the underlying distributed component object model (DCOM) interface between the remote computer, thereby enabling any code. .
Q: What is DCOM? A: Distributed Object Model (DCOM) is a protocol that enables software components to communicate directly through the network. DCOM is previously called "network OLE", which can transfers across multiple networks including Internet protocols such as http. You can check out more information about DCOM from the following website: http://www.microsoft.com/tech/dcom.asp
Q: What is RPC (remote process call)? A: Remote Process Call (RPC) is an agreement that can request services to procedures on another computer in the network using this protocol. Since programs that use RPC do not have to know about network protocols that support communications, RPC improves the interoperability of programs. In RPC, issuing a request is a client, and a program that provides a service is a server.
Q: What is the problem with Microsoft's "Remote Procedure Call" (RPC) implementation process? Answer: There is a defect in the part of the message exchange on the TCP / IP in the RPC. An incorrectly incorrectly handling the format will result in an error. This particular error affects the underlying DCOM interface, this interface listens to TCP / IP port 135. By sending an incorrect RPC message in the format, an attacker can make a problem with the RPC service on a computer, thereby executing any code.
Q: Is this a defect in the RPC endpoint map? A: No. Although the RPC endpoint mapper listens to TCP port 135, this defect actually appears in the low-level DCOM interface in the RPC process. The RPC endpoint map allows the RPC client to determine the port number currently assigned to a particular RPC service. The endpoint is that the server application listens to protocol ports or named pipes that have remote procedure calls. Client / Server Applications can use known ports or dynamic ports.
Q: What is the attacker who can use this vulnerability? A: If an attacker can successfully utilize this vulnerability, he will be able to run code with local system privileges on the affected system. Attackers will be able to perform any operations on the system, including installation, view, change, or delete data, or create new accounts with full permissions.
Q: How will attackers use this vulnerability? A: An attacker can seek to use this vulnerability by programming, and transmit a specific type, format error RPC message on a computer that can communicate with the affected server via TCP port 135 and the susceptible server. Receiving such messages can cause problems with RPC services on a affected computer, thereby enabling any code to execute. Q: Who may take advantage of this vulnerability? A: Any user who can send TCP requests to the 135 port on the affected computer can take advantage of this vulnerability. Because the RPC request in various versions of Windows is open by default, this actually means that any users who can establish a connection with the affected computer can take this vulnerability.
The affected components can also be accessed by other methods, for example, by logging in to the affected system in interactively, or using a similar application to the affected component to the affected components in a local or remote manner.
Q: What is the use of patch? A: The method of patching this vulnerability is to modify the DCOM interface, enabling it to check the information to it.
Solution
Q: Is there any solution to prevent this vulnerability during my test or assess this hotfix? A: Yes. Although Microsoft urgently wants all customers to apply this hotfix as soon as possible, there are still many solutions to help prevent this vulnerability before applying this program.
It must be pointed out that these solutions are only the weight of the right, because they just block the attack path, and have not fundamentally eliminated the vulnerability.
The following sections aim to provide you with some information that helps computer prevention attacks. Each section describes some solutions that you can use in flexibly based on your computer.
Each section describes the available solutions based on the features you need.
Block 135 on the firewall. The 135 port is used to initiate an RPC connection with the remote computer. In the firewall block 135 port, system prevention within the firewall can help the attack by this vulnerability. Internet connection firewall. If you use the Internet connection firewall using Windows XP or Windows Server 2003 to protect your Internet connection, you will prevent inbound RPC communication information from the Internet by default. Disabling DCOM on all affected computers If a computer is part of a network, the COM object on that computer will be able to communicate with COM objects on another computer via the DCOM network protocol. You can disable DCOM on a specific computer to help protect this vulnerability, but do all communications between objects on the computer and objects on other computers. If you disable the DCOM on a remote computer, you will not be able to re-enable DCOM via remote access to the computer. To re-enable DCOM, you need to operate the computer locally. Manually enable (or disable) DCOM:
Run DCMCNFG.EXE If you are running Windows XP or Windows Server 2003, you should also do these steps:
Click Component Services under the Connection Bengen Node. Open the Computer subfolder. For local computers, right-click My Computer and select Properties. For remote computers, right-click Computer folder, then select New, select Computer. Enter the computer name. Right-click the computer name and select Properties. Select the Default Properties tab. Select (or clear) "Enable distributed COM on this computer" checkbox. If you want to set more properties for the computer, click the Apply button to enable (or disable) DCOM. Otherwise, click OK to apply the changes and exit Dcomcnfg.exe. Get Patch Windows Server 2003 Windows Server 2003 Chinese Edition (32 Bit) Windows Server 2003 English Edition (32 Bit) Windows Server 2003 English Edition (64-bit) Microsoft Windows XPMICROSOFT Windows XP Simplified Chinese version (32-bit) Microsoft Windows XP English version (32-bit) Microsoft Windows XP English version (64-bit) Microsoft Windows 2000Microsoft Windows 2000 Simplified Chinese version (Supported operating system Windows 2000 Server, Windows 2000 Advanced Server, Windows 2000 Professional) Microsoft Windows 2000 English version (supported operating system Windows 2000 Server, Windows 2000 Advanced Server, Windows 2000 professional) Microsoft Windows NT 4.0Microsoft Windows NT 4.0 Chinese version (supported operating systems Windows NT, Windows NT4.0 Server, Enterprise Edition) Microsoft Windows NT 4.0 English version (Compatible operating systems Windows NT, Windows NT4.0 Server, Enterprise Edition) Windows NT 4.0 Terminal Server Edition English
Additional information about this hotfix
Installation platform:
The Windows NT 4.0 patch is installed on the system running Service Pack 6A. Windows NT 4.0 Terminal Server Edition Patches are installed on systems running Windows NT 4.0 Terminal Server Edition Service Pack 6. The Windows 2000 patch can be installed on the system running Windows 2000 Service Pack 3 or Service Pack 4. The Windows XP patch can be installed on the system running Windows XP Gold or Service Pack 1. Windows Server 2003 Patch is available on systems running Windows Server 2003 Gold.
Inframed in future service pack: The patch for this issue will include in Windows 2000 Service Pack 5, Windows XP Service Pack 2, and Windows Server 2003 Service Pack 1.
Whether you need to restart: Is the patch to uninstall: is an alternate patch: No
Verify the patch installation:
Windows NT 4.0: To verify that the patch is installed on your computer, confirm that all files listed in the file list in Knowledge Base Article 823980 exist in the system. Windows NT 4.0 Terminal Server Edition: To verify that the patch is installed on your computer, confirm that all files listed on the file list in Knowledge Base Article 823980 are exist in the system. Windows 2000: To verify that the patch is installed on your computer, confirm if the following registration item has been created on your computer: hkey_local_machine / software / microsoft / updates / Windows 2000 / SP5 / KB823980. To verify individual files, use the date / time and version information provided by the file list in the Knowledge Base article 823980, confirm that the file is in the system. Windows XP: To verify that the patch is installed on your computer, confirm if the following registration item has been created on your computer: hkey_local_machine / software / microsoft / updates / Windows XP / SP2 / KB823980. To verify individual files, use the date / time and version information provided by the file list in the Knowledge Base article 823980, confirm that the file is in the system. Windows Server 2003: To verify that the patch is installed on your computer, make sure if the following registration item has been created on your computer: hkey_local_machine / software / microsoft / updates / Window Server 2003 / SP1 / KB823980. To verify individual files, use the date / time and version information provided by the file list in the Knowledge Base article 823980, confirm that the file is in the system. Note: None
Localization: The localized version of the patch can be obtained from the location described in "Getting Patches".
Get other security patches: Patches for other security issues can be obtained from the following location:
Security patches can be easily found from the Microsoft Download Center to easily find the "security_patch" keyword search. Patches on the customer platform can be obtained from the WindowsUpdate Web site.
other information
Microsoft thanks to the Last Stage of Delirium research team reflects this issue to us and is committed to protecting our customers.
stand by:
Microsoft Knowledge Base Article 823980 discusses this issue, this announcement will provide this article after approximately 24 hours. Knowledge Base Articles can be found on Microsoft Online Support website. Technical support can be obtained from Microsoft Product Support Services. Support with security patches is free.
Security Resources: Microsoft TechNet Security Web Site provides additional information about Microsoft product security.
Disclaimer: The information in the Microsoft Knowledge Base is provided as "the original", without any form of guarantee. Microsoft does not make warranties express or implied, including warranties for suitability and applicability for specific purposes. Microsoft Corporation or its suppliers do not liability for any damage (including direct, indirect, attached or consequence commercial profit or special damage), even if Microsoft Corporation or its supplier has been in advance that this type of damage occurs. possibility. Some states are not allowed to exclude or restrict the responsibility of the consequences or the incidental damage, so the above limits may not apply.
Revision: v1.0 (July 16, 2003): Announcement created.
Buffer overflow in the RPC interface may allow execution code (823980) Initial release date: July 21, 2003: Page content:
Abstract Detailed technical information FAQ answers Additional information about this patch
Summary
Target readers of this announcement: Users running Microsoft Windows. The impact of vulnerabilities: the code that runs the attacker's chosen, the highest level: serious recommendation: System administrator should apply this hotfix immediately. Affected software:
Microsoft Windows NT 4.0 Microsoft Windows NT 4.0 Terminal Services Edition Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003
Detailed technical information
Technical Description:
Remote Process Call (RPC) is an agreement used by the Windows operating system. RPC provides a process-related communication mechanism that passes the program running on a computer through this mechanism. The code on a remote system can be smoothly executed. The agreement itself is derived from OSF (Open Software Basis) RPC protocol, but only adds some Microsoft specific extensions.
There is a vulnerability in the RPC to handle messages exchanged through TCP / IP. This problem is caused by a message incorrectly handled in the format. This particular vulnerability affects an interface between the distributed component object model (DCOM) and the RPC, which listens for TCP / IP port 135. This interface processes the client computer to activate the request (for example, a Universal Naming (UNC) path) to the server.
To take advantage of this vulnerability, an attacker may need to send a special format request to 135 ports on a remote computer.
Mitigate the factors of the impact:
To take advantage of this vulnerability, an attacker may need to have the ability to send a well-compiled request to 135 ports on the remote computer. For intranet environments, this port is usually accessible; however, for a computer connected to the Internet, the firewall usually blocks 135 ports. If there is no blockage, or in the intranet environment, the attacker does not need any other privileges. The best practice is to block all TCP / IP ports that are actually unused. Therefore, most computers connected to the Internet should block 135 ports. RPC over TCP is not suitable for use in a dangerous environment in Internet. A more solid protocol like RPC over HTTP applies to a potentially dangerous environment. To learn more about the RPC for clients and servers, visit http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/writing_a_secure_rpc_client_or_server.asp. To learn more about the ports of RPC, please visit: http://www.microsoft.com/technet/prodtechnol/windows2000serve/reskit/tcpip/part4/tcpappc.asp
Severe level:
Windows NT 4.0: Server Edition: Server WINDIS 2000: Serious Windows XP: Serious Windows Server 2003: Serious
The above assessment is based on system types, typical deployment patterns, and the impact of vulnerabilities on them.
Vulnerability Identifier: CAN-2003-0352
Testing versions: Microsoft tests Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 to assess whether they are affected by these vulnerabilities. The previous version is no longer supported, and they may not be affected by these vulnerabilities. Frequently Asked Questions
Q: How big is the range of this vulnerability? A: This is a buffer overflow vulnerability. An attacker who successfully utilized this vulnerability is likely to obtain full control of the remote computer. This may enable attackers to perform operations free of charge, including changing web pages, reformating hard drives or add new users to the local administrator group.
To launch such an attack, an attacker needs to send a message to the RPC service, resulting in a target computer to be subject to people, an attacker can perform any code on it.
The best way to prevent remote RPC attacks from Internet is to configure the firewall to block 135 port. RPC over TCP is not suitable for use in a dangerous environment in Internet.
Q: What is the problem caused by this vulnerability? A: This vulnerability is caused by the Windows RPC service in some cases that cannot be checked correctly. If an attacker sends a certain type of format incorrect RPC message after the RPC is established, it will cause problems with the underlying distributed component object model (DCOM) interface between the remote computer, thereby enabling any code. .
Q: What is DCOM? A: Distributed Object Model (DCOM) is a protocol that enables software components to communicate directly through the network. DCOM is previously called "network OLE", which can transfers across multiple networks including Internet protocols such as http. You can check out more information about DCOM from the following website: http://www.microsoft.com/tech/dcom.asp
Q: What is RPC (remote process call)? A: Remote Process Call (RPC) is an agreement that can request services to procedures on another computer in the network using this protocol. Since programs that use RPC do not have to know about network protocols that support communications, RPC improves the interoperability of programs. In RPC, issuing a request is a client, and a program that provides a service is a server.
Q: What is the problem with Microsoft's "Remote Procedure Call" (RPC) implementation process? Answer: There is a defect in the part of the message exchange on the TCP / IP in the RPC. An incorrectly incorrectly handling the format will result in an error. This particular error affects the underlying DCOM interface, this interface listens to TCP / IP port 135. By sending an incorrect RPC message in the format, an attacker can make a problem with the RPC service on a computer, thereby executing any code.
Q: Is this a defect in the RPC endpoint map? A: No. Although the RPC endpoint mapper listens to TCP port 135, this defect actually appears in the low-level DCOM interface in the RPC process. The RPC endpoint map allows the RPC client to determine the port number currently assigned to a particular RPC service. The endpoint is that the server application listens to protocol ports or named pipes that have remote procedure calls. Client / Server Applications can use known ports or dynamic ports.
Q: What is the attacker who can use this vulnerability? A: If an attacker can successfully utilize this vulnerability, he will be able to run code with local system privileges on the affected system. Attackers will be able to perform any operations on the system, including installation, view, change, or delete data, or create new accounts with full permissions.
Q: How will attackers use this vulnerability? A: An attacker can seek to use this vulnerability by programming, and transmit a specific type, format error RPC message on a computer that can communicate with the affected server via TCP port 135 and the susceptible server. Receiving such messages can cause problems with RPC services on a affected computer, thereby enabling any code to execute. Q: Who may take advantage of this vulnerability? A: Any user who can send TCP requests to the 135 port on the affected computer can take advantage of this vulnerability. Because the RPC request in various versions of Windows is open by default, this actually means that any users who can establish a connection with the affected computer can take this vulnerability.
The affected components can also be accessed by other methods, for example, by logging in to the affected system in interactively, or using a similar application to the affected component to the affected components in a local or remote manner.
Q: What is the use of patch? A: The method of patching this vulnerability is to modify the DCOM interface, enabling it to check the information to it.
Solution
Q: Is there any solution to prevent this vulnerability during my test or assess this hotfix? A: Yes. Although Microsoft urgently wants all customers to apply this hotfix as soon as possible, there are still many solutions to help prevent this vulnerability before applying this program.
It must be pointed out that these solutions are only the weight of the right, because they just block the attack path, and have not fundamentally eliminated the vulnerability.
The following sections aim to provide you with some information that helps computer prevention attacks. Each section describes some solutions that you can use in flexibly based on your computer.
Each section describes the available solutions based on the features you need.
Block 135 on the firewall. The 135 port is used to initiate an RPC connection with the remote computer. In the firewall block 135 port, system prevention within the firewall can help the attack by this vulnerability. Internet connection firewall. If you use the Internet connection firewall using Windows XP or Windows Server 2003 to protect your Internet connection, you will prevent inbound RPC communication information from the Internet by default. Disabling DCOM on all affected computers If a computer is part of a network, the COM object on that computer will be able to communicate with COM objects on another computer via the DCOM network protocol. You can disable DCOM on a specific computer to help protect this vulnerability, but do all communications between objects on the computer and objects on other computers. If you disable the DCOM on a remote computer, you will not be able to re-enable DCOM via remote access to the computer. To re-enable DCOM, you need to operate the computer locally. Manually enable (or disable) DCOM:
Run DCMCNFG.EXE If you are running Windows XP or Windows Server 2003, you should also do these steps:
Click Component Services under the Connection Bengen Node. Open the Computer subfolder. For local computers, right-click My Computer and select Properties. For remote computers, right-click Computer folder, then select New, select Computer. Enter the computer name. Right-click the computer name and select Properties. Select the Default Properties tab. Select (or clear) "Enable distributed COM on this computer" checkbox. If you want to set more properties for the computer, click the Apply button to enable (or disable) DCOM. Otherwise, click OK to apply the changes and exit Dcomcnfg.exe. Get Patch Windows Server 2003 Windows Server 2003 Chinese Edition (32 Bit) Windows Server 2003 English Edition (32 Bit) Windows Server 2003 English Edition (64-bit) Microsoft Windows XPMICROSOFT Windows XP Simplified Chinese version (32-bit) Microsoft Windows XP English version (32-bit) Microsoft Windows XP English version (64-bit) Microsoft Windows 2000Microsoft Windows 2000 Simplified Chinese version (Supported operating system Windows 2000 Server, Windows 2000 Advanced Server, Windows 2000 Professional) Microsoft Windows 2000 English version (supported operating system Windows 2000 Server, Windows 2000 Advanced Server, Windows 2000 professional) Microsoft Windows NT 4.0Microsoft Windows NT 4.0 Chinese version (supported operating systems Windows NT, Windows NT4.0 Server, Enterprise Edition) Microsoft Windows NT 4.0 English version (Compatible operating systems Windows NT, Windows NT4.0 Server, Enterprise Edition) Windows NT 4.0 Terminal Server Edition English
Additional information about this hotfix
Installation platform:
The Windows NT 4.0 patch is installed on the system running Service Pack 6A. Windows NT 4.0 Terminal Server Edition Patches are installed on systems running Windows NT 4.0 Terminal Server Edition Service Pack 6. The Windows 2000 patch can be installed on the system running Windows 2000 Service Pack 3 or Service Pack 4. The Windows XP patch can be installed on the system running Windows XP Gold or Service Pack 1. Windows Server 2003 Patch is available on systems running Windows Server 2003 Gold.
Inframed in future service pack: The patch for this issue will include in Windows 2000 Service Pack 5, Windows XP Service Pack 2, and Windows Server 2003 Service Pack 1.
Whether you need to restart: Is the patch to uninstall: is an alternate patch: No
Verify the patch installation:
Windows NT 4.0: To verify that the patch is installed on your computer, confirm that all files listed in the file list in Knowledge Base Article 823980 exist in the system. Windows NT 4.0 Terminal Server Edition: To verify that the patch is installed on your computer, confirm that all files listed on the file list in Knowledge Base Article 823980 are exist in the system. Windows 2000: To verify that the patch is installed on your computer, confirm if the following registration item has been created on your computer: hkey_local_machine / software / microsoft / updates / Windows 2000 / SP5 / KB823980. To verify individual files, use the date / time and version information provided by the file list in the Knowledge Base article 823980, confirm that the file is in the system. Windows XP: To verify that the patch is installed on your computer, confirm if the following registration item has been created on your computer: hkey_local_machine / software / microsoft / updates / Windows XP / SP2 / KB823980. To verify individual files, use the date / time and version information provided by the file list in the Knowledge Base article 823980, confirm that the file is in the system. Windows Server 2003: To verify that the patch is installed on your computer, make sure if the following registration item has been created on your computer: hkey_local_machine / software / microsoft / updates / Window Server 2003 / SP1 / KB823980. To verify individual files, use the date / time and version information provided by the file list in the Knowledge Base article 823980, confirm that the file is in the system. Note: None
Localization: The localized version of the patch can be obtained from the location described in "Getting Patches".
Get other security patches: Patches for other security issues can be obtained from the following location:
Security patches can be easily found from the Microsoft Download Center to easily find the "security_patch" keyword search. Patches on the customer platform can be obtained from the WindowsUpdate Web site.
other information
Microsoft thanks to the Last Stage of Delirium research team reflects this issue to us and is committed to protecting our customers.
stand by:
Microsoft Knowledge Base Article 823980 discusses this issue, this announcement will provide this article after approximately 24 hours. Knowledge Base Articles can be found on Microsoft Online Support website. Technical support can be obtained from Microsoft Product Support Services. Support with security patches is free.
Security Resources: Microsoft TechNet Security Web Site provides additional information about Microsoft product security.
Disclaimer: The information in the Microsoft Knowledge Base is provided as "the original", without any form of guarantee. Microsoft does not make warranties express or implied, including warranties for suitability and applicability for specific purposes. Microsoft Corporation or its suppliers do not liability for any damage (including direct, indirect, attached or consequence commercial profit or special damage), even if Microsoft Corporation or its supplier has been in advance that this type of damage occurs. possibility. Some states are not allowed to exclude or restrict the responsibility of the consequences or the incidental damage, so the above limits may not apply.
Revision: v1.0 (July 16, 2003): Announcement created.