WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec

Multiple Microsoft RPC DCOM Subsystem Vulnerabilities


Date Discovered

Microsoft has released a Security Bulletin and a software patch, which addresses three issues identified in the RPC DCOM subsystem of the Microsoft Windows family of operating systems. Two of these issues can be exploited to execute arbitrary code in the security context of the RPC DCOM account, typically LocalSystem, while the third vulnerability can be exploited to launch a Denial of Service (DoS) attack against a vulnerable host.

It is believed that existing code, including the exploit implemented by W32.Blaster.Worm, which targets the vulnerability in RPC DCOM subsystem described in MS03-026 can easily be modified to successfully exploit one of the vulnerabilities listed in MS03-039. For this reason, Symantec Security Response believes that active exploitation and creation of Internet worms targeting this vulnerability is imminent. The vulnerability in question is purported to be a heap based overflow that can be exploited via an overly long NETBIOS name submitted via a specially formatted RPC packet.

Norton Internet Security / Norton Internet Security Professional
An update for these products to detect attempts to exploit this vulnerability is available. Users of these products should run LiveUpdate to ensure protection against this threat.

Symantec Client Security
An update for Symantec Client Security to detect attempts to exploit this vulnerability is available. Symantec Client Security users should run LiveUpdate to ensure protection against this threat.

Symantec Gateway Security
An update for Symantec Gateway Security to detect attempts to exploit this vulnerability is available. Symantec Gateway Security users should run LiveUpdate to ensure protection against this threat.

Symantec Enterprise Security Manager
Symantec Enterprise Security Manager™ posted an update to the OS Patches Policy that detects and reports systems that are not patched against these vulnerabilities. Click here for the advisory released September 10, 2003.

Symantec NetRecon
Symantec NetRecon detects and reports these vulnerabilities. Refer to Symantec NetRecon SU8 for more details.

Symantec ManHunt 3.0
Users of Symantec Manhunt 3.0 can update to the latest Security Update to detect attempts to exploit this vulnerability. Click here for more information.

Symantec Vulnerability Assessment
Symantec Vulnerability Assessment detects and reports these vulnerabilities. Click here for more information.

Components Affected
Microsoft Windows NT 4.0
Microsoft Windows XP
Microsoft Windows 2000
Microsoft Windows 2003

Deployment of the patches supplied by Microsoft is highly recommended. If this course of action is not feasible at this time, the following strategies should be followed in order to mitigate the risk of exploitation:

  • Filtering traffic destined for UDP ports 135, 137, 138, 445 and TCP ports 135, 139, 445, 593 at network perimeters and restricting access to RPC DCOM servers to trusted clients only. Furthermore, RPC over HTTP should be disabled or at least restricted to trusted clients. In addition, ports bound by individual RPC services should also be blocked. Unfortunately, as there is no standard assignment of ports to individual RPC services, filtering has to be done on a perapplication basis.

  • Filtering out unwanted traffic using the Internet Connection Firewall (Windows XP and Windows Server 2003 only) or disabling RPC services altogether.

  • Microsoft has released a tool, which will verify whether the patch provided in MS03-039 has been applied to a system. It can be found at the following location: http://support.microsoft.com/?kbid=827363

Microsoft Security Bulletin MS03-039 (Microsoft)

Microsoft RPCSS DCERPC DCOM Object Activation Packet Length Heap Corruption

Microsoft RPCSS DCOM Interface Variant Buffer Overrun Vulnerability

Microsoft Windows RPCSS Denial of Service Vulnerability

Copyright (c) 2003 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from symsecurity@symantec.com.

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.