Why have you revised this bulletin?
Subsequent to the release of this bulletin Microsoft has been made aware that additional ports involving RPC can be used to exploit this vulnerability. Information regarding these additional ports has been added to the mitigating factors and the Workaround section of the bulletin. In addition, Microsoft has released security bulletin MS03-039 and a new scanning tool which supersedes this bulletin and the original scanning tool provided with it. As such, the bulletin has also been updated to reflect the release of the new patch and new scanning tool.
Is the patch supported on Windows 2000 Service Pack 2?
This security patch will install on Windows 2000 Service Pack 2. However, Microsoft no longer supports this version, according to the Microsoft Support Lifecycle policy found at http://support.microsoft.com/lifecycle. In addition, this security patch has only received minimal testing on Windows 2000 Service Pack 2. Customers are strongly advised to upgrade to a supported service pack as soon as possible. Microsoft Product Support Services will support customers who have installed this patch on Windows 2000 Service Pack 2 if a problem results from installation of the patch.
Is the patch supported on Windows NT 4.0 Workstation?
This security patch will install on Windows NT 4.0 Workstation Service Pack 6a. However, Microsoft no longer supports this version, according to the Microsoft Support Lifecycle policy found at http://support.microsoft.com/lifecycle. In addition, this security patch has only received minimal testing on Windows NT 4.0 Workstation Service Pack 6a. Customers are strongly advised to upgrade to a supported version as soon as possible. Microsoft Product Support Services will support customers who have installed this patch on Windows NT 4.0 Workstation Service Pack 6a if a problem results from installation of the patch.
Are there any tools I can use to detect systems on my network that do not have the MS03-026 patch installed?
Yes - Microsoft has released a tool that can be used to scan a network for the presence of systems which have not had the MS03-026 or the newly released MS03-039 patch installed. More details on this tool are available in Microsoft Knowledge Base article 827363.
I previously downloaded the scanning tool for MS03-026, should I download the updated tool?
Yes - although the original scanning tool still scans properly for systems that do not have MS03-026 installed, Microsoft has released MS03-039, which supersedes this bulletin. Once MS03-039 is installed, the original scanning tool will no longer give reliable results. However, the newly released scanning tool will properly scan for vulnerable computers and provide the proper results if MS03-039 has been installed.
What's the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could gain complete control over a remote computer. This would give the attacker the ability to take any action on the server that they want. For example, and attacker could change Web pages, reformat the hard disk, or add new users to the local administrators group.
To carry out such an attack, an attacker would require the ability to send a malformed message to the RPC service and thereby cause the target machine to fail in such a way that arbitrary code could be executed.
What causes the vulnerability?
The vulnerability results because the Windows RPCSS service does not properly check message inputs under certain circumstances. After establishing a connection, an attacker could send a specially crafted malformed RPC message to cause the underlying Distributed Component Object Model (DCOM) process on the remote system to fail in such a way that arbitrary code could be executed.
What is DCOM?
The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network. Previously called "Network OLE," DCOM is designed for use across multiple network transports, including Internet protocols such as HTTP.
What is Remote Procedure Call (RPC)?
Remote Procedure Call (RPC) is a protocol that a program can use to request a service from a program located on another computer in a network. RPC helps with interoperability because the program using RPC does not have to understand the network protocols that are supporting communication. In RPC, the requesting program is the client and the service-providing program is the server.
What is COM Internet Services (CIS) and RPC over HTTP?
RPC over HTTP - v1 (Windows NT 4.0, Windows 2000) and v2 (Windows XP, Windows Server 2003) introduce support for a new RPC transport protocol that allows RPC to operate over TCP ports 80 and 443 (v2 only). This allows a client and a server to communicate in the presence of most proxy servers and firewalls. COM Internet Services (CIS) allows DCOM to use RPC over HTTP to communicate between DCOM clients and DCOM servers.
More information on "RPC over HTTP " for Windows Server 2003 can be found at the following URL:
http://msdn2.microsoft.com/en-us/library/Aa375384
More information on COM Internet Services (sometimes referred to as CIS) can be found at the following URL:
http://msdn2.microsoft.com/en-us/library/ms809302
How do I know if I have COM Internet Services (CIS) or RPC over HTTP installed?
To determine whether a server has COM Internet Services or RPC over HTTP installed follow the steps below:
- On Windows NT 4.0 systems with the Windows NT Option Pack installed: Search on all partitions for "rpcproxy.dll". If "rpcproxy.dll" is found on the server, COM Internet Services is installed.
- On Windows 2000 and Windows Server 2003 servers:
In Control Panel, double-click Add/Remove Programs, and then double-click Add/Remove Windows Components.
The Windows Components Wizard starts.
Click Networking Services, and then click Details.
If the COM Internet Services Proxy (for Windows 2000 Server) or the RPC over HTTP Proxy (for Windows Server 2003) check box is selected, CIS or RPC over HTTP support is enabled on the server.
Note: You can also search for "rpcproxy.dll" on Windows 2000 and Windows Server 2003 installations if you want to remotely or programmatically determine if CIS or RPC over HTTP is installed.
To search for a specific file on your computer: click Start, click Search, click For Files or Folders, and then type the name of the file that you want to search for.
The search may take several minutes, depending on the size of your hard disk.
What's wrong with the RPCSS Service?
There is a flaw in the RPCSS Service that deals with DCOM activation. A failure results because of incorrect handling of malformed messages. This particular failure affects the underlying RPCSS Service used for DCOM activation, which listens on UDP ports 135, 137, 138, 445 and TCP ports 135, 139, 445, 593. Additionally, it can listen on ports 80 and 443 if CIS or RPC over HTTP is enabled.
By sending a malformed RPC message, an attacker could cause the RPCSS Service on a system to fail in such a way that arbitrary code could be executed.
Is this a flaw in the RPC Endpoint Mapper?
No - Although the RPC endpoint mapper shares the RPCSS service with the DCOM infrastructure, the flaw actually occurs in the DCOM Activation infrastructure. The RPC endpoint mapper allows RPC clients to determine the port number currently assigned to a particular RPC service. An endpoint is a protocol-specific identifier of a service on a host machine. For protocols like TCP or UDP, this is a port. For named pipes, it is a named pipe name. Other protocols use other protocol specific endpoints.
What could this vulnerability enable an attacker to do?
An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system. The attacker could be able to take any action on the system, including installing programs, viewing changing or deleting data, or creating new accounts with full privileges.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by creating a program that could communicate with a vulnerable server over an affected TCP/UDP port to send a specific kind of malformed RPC message. Receipt of such a message could cause the RPCSS service on the vulnerable system to fail in such a way that it could execute arbitrary code.
It could also be possible to access the affected component through another vector, such as one that would involve logging onto the system interactively or by using another application that passed parameters to the vulnerable component-- locally or remotely.
Who could exploit this vulnerability?
Any user who could deliver a malformed RPC message to the RPCSS Service on an affected system could attempt to exploit this vulnerability. Because the RPCSS Service is on by default in all versions of Windows, this in essence means that any user who could establish a connection with an affected system could attempt to exploit this vulnerability.
What does the patch do?
The patch corrects the vulnerability by altering the DCOM implementation to properly check the information passed to it.
Workarounds:
Are there any workarounds that can be used to help block exploitation of this vulnerability while I am testing or evaluating the patch?
Yes. Although Microsoft urges all customers to apply the patch at the earliest possible opportunity, there are a number of workarounds that can be applied to help prevent the vector used to exploit this vulnerability in the interim. There is no guarantee that the workarounds will block all possible attack vectors.
It should be noted that these workarounds should be considered temporary measures as they just help block paths of attack rather than correcting the underlying vulnerability.
- Block UDP ports 135, 137, 138, 445 and TCP ports 135, 139, 445, 593 at your firewall and disable COM Internet Services (CIS) and RPC over HTTP, which listen on ports 80 and 443, on the affected systems.
These ports are used to initiate an RPC connection with a remote computer. Blocking them at the firewall ,will help prevent systems behind that firewall from being attacked by attempts to exploit these vulnerabilities. You should also be sure and block any other specifically configured RPC port on the remote machine.
If enabled, CIS and RPC over HTTP allow DCOM calls to operate over TCP ports 80 (and 443 on XP and Windows Server 2003). Make sure that CIS and RPC over HTTP are disabled on all the affected systems.
More information on how to disable CIS can be found in Microsoft Knowledge Base Article 825819.
For information regarding RPC over HTTP, see http://msdn2.microsoft.com/en-us/library/Aa378642.
- Use a personal firewall such as Internet Connection Firewall (only available on XP and Windows Server 2003) and disable COM Internet Services (CIS)and RPC over HTTP, which listen on ports 80 and 443, on the affected machines, especially any machines that connect to a corporate network remotely using a VPN or similar.
If you are using the Internet Connection Firewall in Windows XP or Windows Server 2003 to protect your Internet connection, it will by default block inbound RPC traffic from the Internet. Make sure that CIS and RPC over HTTP are disabled on all affected machines.
More information on how to disable CIS can be found in Microsoft Knowledge Base Article 825819.
For information regarding RPC over HTTP, see http://msdn2.microsoft.com/en-us/library/Aa378642.
- Block the affected ports using an IPSEC filter and disable COM Internet Services (CIS) and RPC over HTTP, which listen on ports 80 and 443, on the affected machines.
You can secure network communications on Windows 2000-based computers if you use Internet Protocol Security (IPSec). Detailed information on IPSec and how to apply filters can be found in Microsoft Knowledge Base Article 313190 and 813878. Make sure that CIS and RPC over HTTP are disabled on all affected machines.
More information on how to disable CIS can be found in Microsoft Knowledge Base Article 825819.
For information regarding RPC over HTTP, see http://msdn2.microsoft.com/en-us/library/Aa378642.
- Disable DCOM on all affected machines
When a computer is part of a network, the DCOM wire protocol enables COM objects on that computer to communicate with COM objects on other computers. You can disable DCOM for a particular computer to help protect against this vulnerability, but doing so will disable all communication between objects on that computer and objects on other computers.
If you disable DCOM on a remote computer, you will not be able to remotely access that computer afterwards to re-enable DCOM. To re-enable DCOM, you will need physical access to that computer.
Information on how to disable DCOM is available in Microsoft Knowledge Base Article 825750.
Note: For Windows 2000, the methods described above will only work on systems running Service Pack 3 or later. Customers using Service Pack 2 or below should upgrade to a later Service Pack or use one of the other workarounds.
