CERT® Advisory CA-2003-16 Buffer Overflow in Microsoft RPCOriginal release date: July 17, 2003
Last revised: Fri Aug 8 13:11 EDT 2003
A complete revision history is at the end of this file.
A buffer overflow vulnerability exists in Microsoft's Remote Procedure Call (RPC) implementation. A remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service.
I. DescriptionThere is a buffer overflow in Microsoft's RPC implementation. According to Microsoft Security Bulletin MS03-026, "There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on TCP/IP port 135. This interface handles DCOM object activation requests that are sent by client machines (such as Universal Naming Convention (UNC) paths) to the server."
II. ImpactA remote attacker could exploit this vulnerability to execute arbitrary code with Local System privileges or to cause a denial of service.
Apply a patch from your vendor
Apply the appropriate patch as specified by >Microsoft Security Bulletin MS03-026.
Appendix A contains additional information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below or in the individual vulnerability notes, we have not received their comments. Please contact your vendor directly.
You may wish to block access from outside your network perimeter, specifically by blocking access to TCP & UDP ports 135, 139, and 445. This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate.
Depending on site requirements, you may wish to disable DCOM as described in MS03-026. Disabling DCOM will help protect against this vulnerability, but may also cause undesirable side effects. Additional details on disabling DCOM and possible side effects are available in Microsoft Knowledge Base Article 825750.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below or in the individual vulnerability notes, we have not received their comments.
Apply the appropriate patch as specified by Microsoft Security Bulletin MS03-026.
This vulnerability was discovered by The Last Stage of Delirium Research Group. Microsoft has published Microsoft Security Bulletin MS03-026, upon which this document is largely based.
Author: Ian A. Finlay
This document is available from: http://www.cert.org/advisories/CA-2003-16.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Conditions for use, disclaimers, and sponsorship information
Copyright 2003 Carnegie Mellon University.