WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec

Microsoft Windows RPCSS Multi-thread Race Condition Vulnerability

Risk
High

Date Discovered
10-10-2003

Description
It has been reported that a multi-threaded race condition in the RPCSS service of Microsoft Windows exists. Because of this, it may be possible for an attacker to mount denial of service attacks. This condition is reported to exist when the service is handling multiple RPC requests. In particular, if two threads are processing the same request, one thread may free a packet while the other thread is still processing the packet. This could result in memory corruption. Certain factors such as network latency, CPU, and the state of memory on the vulnerable system may make it difficult to reliably reproduce the condition, though it may be possible under some circumstances to corrupt memory in a manner sufficient to execute arbitrary code. Code execution has been deemed unlikely.

However, it has been reported by a reliable source that this problem can cause a denial of service on fully patched Windows XP Service Pack 1 systems (including the patches supplied in MS03-039). Additionally, it has been indicated that the vendor has been notified of this issue.

New information has been obtained from a reliable source, confirming that the exploitation of this issue will trigger a denial of service on fully patched Windows 2000 systems.

It is unknown what impact this variant attack has on Windows 2003.

Components Affected
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional

Recommendations
Block external access at the network boundary, unless service is required by external parties.

  • Hosts that can send malicious traffic to various ports that listen for RPC traffic can exploit this issue. External access to affected ports should be filtered at network perimeters. Permit access for trusted or internal hosts and networks only.
Implement multiple redundant layers of security.
  • Multiple layers of network access control and intrusion detection should be deployed to limit exposure to potentially vulnerable systems and monitor network traffic for malicious or anomalous activity.
Workaround: Restrict access to the following ports:
  • 135/TCP
  • 139/TCP
  • 445/TCP
  • 593/TCP
  • 135/UDP
  • 137/UDP
  • 138/UDP
  • 445/UDP
The Internet Connection Firewall in Windows XP or Windows Server 2003 will, by default, block inbound RPC traffic.

COM Internet Services may also provide an attack vector via ports 80 and 443. Disable CIS and RPC over HTTP if it is not required.

Disabling DCOM will limit exposure to this issue. However, this will limit remote access to the system. Physical access to the system is required if users wish to re-enable DCOM.

Due to the possibility of the existence of working exploit being distributed in the wild, users are advised to apply all available workarounds until the vendor can acknowledge and patch the issue.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

Microsoft Windows 2000 Advanced Server SP4:
Microsoft Windows 2000 Advanced Server SP3:
Microsoft Windows 2000 Advanced Server SP2:
Microsoft Windows 2000 Advanced Server SP1:
Microsoft Windows 2000 Advanced Server :
Microsoft Windows 2000 Datacenter Server SP4:
Microsoft Windows 2000 Datacenter Server SP3:
Microsoft Windows 2000 Datacenter Server SP2:
Microsoft Windows 2000 Datacenter Server SP1:
Microsoft Windows 2000 Datacenter Server :
Microsoft Windows 2000 Professional SP4:
Microsoft Windows 2000 Professional SP3:
Microsoft Windows 2000 Professional SP2:
Microsoft Windows 2000 Professional SP1:
Microsoft Windows 2000 Professional :
Microsoft Windows 2000 Server SP4:
Microsoft Windows 2000 Server SP3:
Microsoft Windows 2000 Server SP2:
Microsoft Windows 2000 Server SP1:
Microsoft Windows 2000 Server :
Microsoft Windows XP Home SP1:
Microsoft Windows XP Home :
Microsoft Windows XP Media Center Edition :
Microsoft Windows XP Professional SP1:
Microsoft Windows XP Professional :

References
Source: Bad news on RPC DCOM vulnerability
URL: msg://bugtraq/1155962754.20031010184852@SECURITY.NNOV.RU

Source: RE: Bad news on RPC DCOM vulnerability
URL: msg://bugtraq/6E4E9A51D91C044F9879FD72389600F731B562@new_iron.vigilantminds.com

Source: Microsoft RPC Race Condition Denial of Service (ISS X-Force)
URL: http://xforce.iss.net/xforce/alerts/id/155

Source: Microsoft Security Bulletin MS03-039
URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-039.asp

Credits
Discovery credited to ZARAZA. Additional technical details were provided by ISS X-Force.


Copyright (c) 2003 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from symsecurity@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.