View Full Version : Exploit Code Targets Recent Rpc Flaws

10-14-03, 06:28 PM
Long-anticipated exploit code targeting the most recent Microsoft RPC vulnerabilities is circulating and may compromise even patched XP systems. Other versions of Windows might be vulnerable but haven’t been tested.

“This code is a universal exploit, which means that it can be used against any version of Windows that is not patched,” says Aaron Schaub, a security analyst at intelligence firm TruSecure. “However, there have been unconfirmed reports that it will still work against Windows XP SP1 even with all additional security updates installed.”

The code exploits a slight variant in the RPCSS (the Remote Procedure Call portmapper, which directs traffic for different services using RPC) vulnerability documented in Microsoft Security Bulletin MS03-039.

Experts report seeing increased activity on TCP port 135, which is associated with the vulnerable service.

If the exploit works against fully patched Windows XP systems, the best defense against the attack is to turn off the service, if possible. Windows XP uses this service extensively and turning it off isn’t a viable option in many situations. If the service can’t be turned off, the use of firewalls or access control lists to restrict access to vulnerable systems can reduce the chances of attack, says Schaub.

A patch was released to correct the "Buffer Overrun In RPCSS Service Could Allow Code Execution" (MS03-039) vulnerabilities; which deal with RPC messages for DCOM activation. According to Microsoft, two of the flaws could allow arbitrary code execution; and the third could result in a denial of service. The flaws affect Windows NT 4/2000/XP/Server 2003 and result from incorrect handling of malformed messages.

Many security experts have speculated that the release of a worm using this code could come at any time. In August, the prolific Blaster worm ripped through networks worldwide by exploiting a similar RPC/DCOM vulnerability for which a patch had been released more than three weeks before.

10-16-03, 05:34 PM
Patched Microsoft Windows XP/2000 systems are vulnerable to a denial of service caused by RPC exploit code that began circulating last week. Unpatched NT 4/2000/XP/Server 2003 systems are vulnerable to the execution of arbitrary code.

"The published exploit can carry out a denial of service across a range of versions, levels and language versions of Microsoft Windows 2000/XP, and achieve remote code execution on unpatched systems," says an advisory from the U.K. National Infrastructure Security Co-ordination Centre (NISCC). "The 'universal' nature of the exploit may assist the development of a worm incorporating some of the attack techniques."

The code exploits a slight vulnerability variant in the RPC portmapper, which directs traffic for different services. The flaws result from incorrect handling of malformed messages.

NISCC strongly recommends that all RPC calls be blocked at the organizational perimeter. Destination TCP/UDP ports 135-139, 445 and 593 also should be blocked.