Security Home > Windows NT, 2000 & XP

Buffer Overrun In RPC Interface New

A major security vulnerability exists in the RPC Interface of Windows NT, 2000, XP and Windows Server 2003 which could allow a remote attacker to run the code of their choice on the system. This vulnerability has been exploited by the Blaster worm.

Issue

Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions.

There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on RPC enabled ports. This interface handles DCOM object activation requests that are sent by client machines to the server. An attacker who successfully exploited this vulnerability would be able to run code with Local System privileges on an affected system. The attacker would be able to take any action on the system, including installing programs, viewing changing or deleting data, or creating new accounts with full privileges.

To exploit this vulnerability, an attacker would need to send a specially formed request to the remote computer on specific RPC ports.

Affected Products

  • Microsoft Windows NT 4.0
  • Microsoft Windows NT 4.0 Terminal Services Edition
  • Microsoft Windows 2000
  • Microsoft Windows XP
  • Microsoft Windows Server 2003

Download

Software patches are available from the following locations:

Further Details

Source: Microsoft Corporation

Reference: Microsoft Corporation

Updated: July 27, 2003

>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<