Buffer Overflow in Microsoft RPC
Last revised: Fri Aug 8 13:11 EDT 2003
A complete revision history is at the end of this file.
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0 Terminal Services Edition
- Microsoft Windows 2000
- Microsoft Windows XP
- Microsoft Windows Server 2003
A buffer overflow vulnerability exists in Microsoft's Remote Procedure Call (RPC) implementation. A remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service.
I. DescriptionThere is a buffer overflow in Microsoft's RPC implementation. According to Microsoft Security Bulletin MS03-026, "There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on TCP/IP port 135. This interface handles DCOM object activation requests that are sent by client machines (such as Universal Naming Convention (UNC) paths) to the server."
II. ImpactA remote attacker could exploit this vulnerability to execute arbitrary code with Local System privileges or to cause a denial of service.
Apply a patch from your vendor
Apply the appropriate patch as specified by >Microsoft Security Bulletin MS03-026.
Appendix A contains additional information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below or in the individual vulnerability notes, we have not received their comments. Please contact your vendor directly.
You may wish to block access from outside your network perimeter, specifically by blocking access to TCP & UDP ports 135, 139, and 445. This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate.
Depending on site requirements, you may wish to disable DCOM as described in MS03-026. Disabling DCOM will help protect against this vulnerability, but may also cause undesirable side effects. Additional details on disabling DCOM and possible side effects are available in Microsoft Knowledge Base Article 825750.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below or in the individual vulnerability notes, we have not received their comments.
Apply the appropriate patch as specified by Microsoft Security Bulletin MS03-026.
Nortel Networks Response to CERT Advisory CA-2003-16 - Buffer Overflow in Microsoft RPC
Nortel Networks supplies and supports both integrated and non-integrated solutions to its customers. We are taking this opportunity to complement CERT and Microsoft information with information specific to the potential impact of this vulnerability on Nortel Networks products and solutions. As well we indicate how Nortel Networks products can be used to help effect the mitigation procedures recommended both by CERT and Microsoft.
A limited number of Nortel Networks products and solutions are potentially affected by this issue, and the nature of these products and solutions tends to place them within a private network. Accordingly, if network perimeter protection is employed as recommended by both CERT and Microsoft (i.e. blocking access to TCP & UDP ports 135, 139, and 445) these products and solutions should not be vulnerable to attacks from the public Internet.
Nortel Networks would like to inform its customers and partners of efforts currently under way to respond to this issue:
Embedded Operating Systems
Some Nortel Networks products employ embedded Windows Operating Systems identified by Microsoft as vulnerable; Product Technical Bulletins and patches are being developed.
Applications on Windows Operating Systems
Some Nortel Networks applications reside on Windows Operating Systems identified by Microsoft as vulnerable; the corresponding Microsoft patches are being tested against the Nortel Networks applications to confirm that their functionality will not be impacted.
Clients on Windows Operating Systems
Some Nortel Networks clients reside on workstations supplied by others, with Windows Operating Systems identified by Microsoft as vulnerable; Nortel Networks recommends that customers follow the recommendations of CERT and Microsoft and apply the appropriate patches.
Nortel Networks Routing Products to be used for Port Blocking
Nortel Networks routing products are not vulnerable to this issue, but may be configured to protect customer networks by blocking access to TCP & UDP ports 135, 139, and 445 at the network edge, as recommended by CERT and Microsoft. Product-specific instructions for port blocking configuration are available for the following Nortel products:
- Passport 6000
- Alteon Switched Firewall
- Passport 8600
Nortel Networks Product Status
The following products, which in some way rely on a Microsoft operating system, have been reviewed or are under review. Other products may be added.
- Succession Multi-service Gateway 4000
- Interactive Multimedia Server
- Communication Server for Enterprise -- Multimedia Exchange
- Multimedia PC Client
- Optivity Telephony Manager
- Optivity NetID
- Optivity Policy Services
- Optivity Switch Manager
- Contivity Configuration Manager
- Symposium including TAPI ICM
- Business Communications Manager
- International Centrex-IP
- Periphonics with OSCAR Speech Server
- Alteon Security Manager
- Network Configuration Manager for BCM
- Preside Site Manager
- Preside System Manager Interface
If you have a Nortel Networks product which is not noted on the list above, we are currently reviewing our extended product families to identify if they use components of the Microsoft Operating System and will issue an updated list as soon as new information is available.
For more information please contactNorth America: 1-800-4NORTEL or 1-800-466-7835 Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009
Contacts for other regions are available at
Or visit the eService portal at <http://www.nortelnetworks.com/cs> under Advanced Search.
If you are a channel partner, more information can be found under <http://www.nortelnetworks.com/pic> under Advanced Search.
This vulnerability was discovered by The Last Stage of Delirium Research Group. Microsoft has published Microsoft Security Bulletin MS03-026, upon which this document is largely based.
Author: Ian A. Finlay
Copyright 2003 Carnegie Mellon University.
Jul 17, 2003: Initial release
Jul 21, 2003: Revised Restrict access in Solution section to add additional ports to block
Aug 2, 2003: Added Appendix A - Vendor Information
Aug 2, 2003: Added Nortel Vendor Statement from 08/01/2003
Aug 8, 2003: Added Disable DCOM workaround to Solution section.