ALERT-TSA03-009

Publish Date: July 25, 2003
Publish Time: 1607 EDT
Initial Assessment Date: July 16, 2003
Initial Assessment Time: 1647 EDT

RISK INDICES:

Initial Assessment: Hot

Current Assessment: Hot

Threat: Medium ( Sample exploit code has been released and the TruSecure predictive models indicate that this exploit could lead to malicious code within the near future. )

Vulnerability Prevalence: High ( Most corporate deployed versions of the Microsoft Windows operating system are vulnerable; however, TruSecure's default-deny essential practice and other recommendations will limit the exposure of corporate networks from the Internet. The potential for internal propagation should be mitigated by following the recommendations below. )

Cost: High ( The exploits could allow the execution of arbitrary code with Local System privileges. Exploitation of the vulnerability is likely to be limited to users capable of sending malformed messages through the intranet because most environments use a firewall to prevent Internet access to the specified ports. Generally, only systems on trusted networks are allowed to access this port. Technical details and demonstrations are now publicly available. The probability of an attack has increased due to the publication of such details. The vulnerability could allow widespread attacks and may be suitable for malicious code. )

Vulnerable Systems: [Microsoft, Inc.] Windows 2000: Advanced Server (Base, SP1, SP2, SP3, SP4), Professional (Base, SP1, SP2, SP3, SP4), Server (Base, SP1, SP2, SP3, SP4) [Microsoft, Inc.] Windows NT: 4.0 (Base, SP1, SP2, SP3, SP4, SP5, SP6a) [Microsoft, Inc.] Windows NT Terminal Server: 4.0 (Base, SP1, SP2, SP3, SP4, SP5, SP6) [Microsoft, Inc.] Windows Server 2003: Datacenter Edition, Datacenter Edition, 64-bit, Enterprise Edition, Enterprise Edition, 64-bit, Standard Edition, Web Edition [Microsoft, Inc.] Windows XP: Home Edition (Base, SP1), Professional Edition (Base, SP1), Professional Edition, 64-bit (Base, SP1) [TruSecure] Action Alert: Original Release

Summary:

Potential exploit code for the Windows RPC buffer overflow vulnerability has been publicly released. Due to the release of the potential code, and the possibility that it may become a vector for malicious code, the TruSecure Research Group has upgraded this alert to a TruSecure Action Alert rated HOT.

Impact:

An attacker who can access TCP or UDP ports 135, 139 or 445 could execute arbitrary code with Local System privileges. This allows the attacker to gain complete control over the exploited system.

Detailed Description:

Microsoft Windows NT, 2000, XP and Windows Server 2003 use a Remote Procedure Call (RPC) to provide a way for programs running on one system to communicate and execute code on a remote system. A vulnerability in the Distributed Component Object Model (DCOM) with RPC may allow an attacker to construct a specially formed request to TCP and UDP ports 135, 139, 445 or other specifically configured RPC port to cause a buffer overflow. In this instance, the buffer overflow vulnerability could enable the attacker to execute arbitrary code.

The RPC service listening on TCP and UDP ports 135, 139 and 445 is a known hazard.

Many sites block these ports at the firewall, including the Internet Connection Firewall included in Windows XP and Windows Server 2003. The ability of an attacker to exploit this vulnerability is based on the attacker's ability to send a malformed RPC request to the listening DCOM interface. The arbitrary code is executed with Local System privileges, allowing the attacker to take any desired action on the system.

Patches are available.

Impact
------------------------------------------------------------------
An attacker who can access TCP or UDP ports 135, 139 or 445 could execute arbitrary code with Local System privileges. This allows the attacker to gain complete control over the exploited system.

Warning Indicators
------------------------------------------------------------------
Systems running Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, Windows XP or Windows Server 2003 may be vulnerable.

Systems on which the attacker can access TCP or UDP ports 135, 139 or 445 are vulnerable.

Systems that have enabled DCOM may be vulnerable.

Technical Information
------------------------------------------------------------------
The buffer overflow occurs because Windows RPC service does not properly check message inputs under certain conditions. The buffer overflow affects the Distributed Component Object Module (DCOM) interface, which listens on port 135, but can be reached on ports 139 and 445. DCOM is a protocol that enables software components to communicate with one another over a network. An attacker can create a malformed RPC message that, when sent to the server, overflows the buffer.

On systems protected by a firewall, it is a standard practice to block these ports due to the known risks associated with RPC. However, port 135 is normally used internally on the intranet or LAN to allow clients to communicate with a server. This limits the vulnerability in most environments to a local attack.

Administrators must consider disabling DCOM on all systems if not explicitly required, as this prevents the exploit. Disabling DCOM can be achieved remotely; however, restarting DCOM requires physical access to the system.

TruSecure Comments
------------------------------------------------------------------
TruSecure has become aware of the public availability of a sample exploit against this vulnerability. While the sample is not malicious, modification of it to make it malicious is not difficult, and is expected in the near future. Previously, the specifics of how to exploit the vulnerability had not been published. Such samples generally form the basis for future attacks.

TruSecure's Ballistic Threat Model predicts that attacks against this vulnerability may be forthcoming in the near future. TruSecure strongly recommends you read and follow the Safeguards mentioned below.

The vulnerability can be exploited by any attacker capable of sending a malformed request to TCP or UDP ports 135, 139 or 445. Windows has RPC requests enabled by default, therefore allowing the exploitation of any system using default settings. An attacker could also exploit the affected component in other ways, including logging into the system interactively, or by using another application that passes parameters to the vulnerable components. These exploits can be achieved locally or remotely.

TruSecure Essential Practices recommend that all TCP/IP ports not necessary for business operations be blocked at the perimeter. This includes implementing a default-deny policy and only allowing those ports deemed business necessary at the Internet perimeter, and on business partner and VPN connections. In addition, to mitigate the internal spread of malicious code, having the ability to dynamically deny TCP ports such as 135, 139, and 445 on internal network segments is an additional synergistic control.

Vendor Announcements
------------------------------------------------------------------
Microsoft has re-released a security bulletin at the following link: ["http://www.microsoft.com/technet/treeview/default.asp?url=/technet/s ecurity/bulletin/MS03-026.asp">MS03-026]

CERT has released an advisory and a vulnerability note at the following links, respectively:
["http://www.cert.org/advisories/CA-2003-16.html">CA-2003-16] and ["http://www.kb.cert.org/vuls/id/568148">VU#568148]

Patches/Software
------------------------------------------------------------------
Microsoft has released patches for the following Windows versions:

Windows NT 4.0 Server

Windows NT 4.0, Terminal Server Edition

Windows 2000

Windows XP 32-bit Edition

Windows XP 64-bit Edition

Windows Server 2003 32-bit Edition

Windows Server 2003 64-bit Edition

Mitigations:

Block TCP and UDP ports 135, 139 and 445 at the perimeter firewall or router. These ports are used to initiate a RPC connection with another system. By blocking these ports, systems behind the firewall are protected from exploitation.

The Internet Connection Firewall in Windows XP and Windows Server 2003 block inbound RPC traffic by default. Users can enable this service to protect their systems.

Add a Router or Firewall Access Control List rule on all internal routers or firewalls specifically permitting TCP and UDP 135 inbound and outbound if it is currently required (this will be true for most Windows environments). Having such a rule already in place permits changes to a specific deny rule in memory, without having to reload the router, in the event of an internal outbreak. Should an attack occur, the network can be quickly segmented by modifying the rule. This allows an opportunity to mitigate the potential effects of a compromise. In the event of a compromise, ensure that TCP 135 outbound stays closed until all systems are cleaned.

Disabling DCOM is an effective method of preventing this particular exploit. This current vulnerability represents only one possible attack vector. Since the initial discovery, another vulnerability in DCOM was discovered and a denial of service attack crafted. It is possible that further research will result in other attack vectors. TruSecure recommends disabling DCOM as part of the Essential Configuration of Windows systems. Disabling DCOM prevents COM objects on one system from communicating with COM objects on another system, which may prevent proper functioning in some environments. Administrators can disable DCOM by changing the REG_SZ setting to "N" in the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\MicrosoftOLE\EnableDCOM

Administrators can also disable DCOM by performing the following:

* Run dcomcnfg.exe. Windows 2000, Windows XP and Windows Server 2003 users must perform the following additional steps:

Click on the Component Services node under
Console Root.
Open the Computers subfolder.
For the local computer, right-click on My Computer and choose Properties.
For a remote computer, right-click on the Computers folder and choose New, then Computer. Enter the computer name. Right-click on the new computer name and choose Properties.
* Choose the Default Properties tab.
* Check the Enable Distributed COM on this Computer check box to enable or disable it.
* Click OK to apply the changes and exit dcomcnfg.exe. If it is not possible to disable DCOM, then TruSecure recommends installation of the appropriate patch from Microsoft within the next 7 days. This should be seriously considered particularly for systems which are outside of the corporate Firewall environment.

Communication:

Please contact your TruSecure analyst if you have any questions or if you see actual attempts to exploit this vulnerability.

TruSecure Corporation provides information security assurance services including TruSecure ^®which significantly reduces the likelihood of participating companies having information security breaches in six areas of risk: Electronic (hacking and related) risk, Malicious Code risk (virus, Trojan worm and related), Privacy risk, Downtime risk, Physical risk and Human Factors risk. Visit Security Solutions for further information on these services.

(SecureFlorida Update: The above link is no longer active please click here) 

Disclaimer:

Copyright © 2003 TruSecure Corporation. All rights reserved. This Alert is the property of the TruSecure Corporation. It may not be redistributed except within your own company or organization. This Alert is being provided for informational purposes only and is provided AS IS."The TruSecure Corporation makes no warranties of any kind, express or implied, including, but not limited to warranties of merchantability, fitness for a particular purpose, non-infringement, and warranties arising out of any course of dealing or course of conduct.

Impenetrable security is unattainable in real world environments; the TruSecure Corporation cannot and does not guarantee protection against breaches of security.

IN NO EVENT WILL THE TRUSECURE CORPORATION BE LIABLE FOR ANY BUSINESS INTERRUPTION, LOST REVENUE, PROFITS OR DATA, OR FOR DAMAGES OF ANY KIND, HOWEVER CAUSED, ARISING OUT OF YOUR USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS WARNING, OR YOUR FAILURE TO RECEIVE ANY PRIOR OR FUTURE ALERTS, WATCHES OR WARNINGS, EVEN IF THE TRUSECURE CORPORATION HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.