Buffer Overrun in Microsoft Windows RPC Sub-System Service Could Allow Code execution
Original Issue Date: September 11, 2003
Severity Rating: High
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0, Terminal Server Edition
- Microsoft Windows 2000
- Microsoft Windows XP
- Microsoft Windows Server 2003
Systems Not Affected
These vulnerabilities result because the Windows RPCSS service does not properly check message inputs under certain circumstances. After establishing a connection, an attacker could send a specially crafted malformed RPC message to cause the underlying Distributed Component Object Model DCOM activation infrastructure in the RPCSS Service on the remote system to fail in such a way that arbitrary code could be executed.
A flaw exists in the RPCSS Service that deals with RPC messages for DCOM activation. A failure results because of incorrect handling of malformed messages. This particular failure affects the underlying RPCSS Service used for DCOM activation, which listens on UDP ports 135, 137, 138, 445 and TCP ports 135, 139, 445, 593. Additionally, it can listen on ports 80 and 443 if CIS COM Internet Services or RPC over HTTP is enabled.
There are three identified vulnerabilities in this part of RPCSS Service that deals with DCOM activation- two that could allow arbitrary code execution and one that could result in a denial of service. The flaws result from incorrect handling of malformed messages. These particular vulnerabilities affect the Distributed Component Object Model DCOM interface within the RPCSS Service. This interface handles DCOM object activation requests that are sent from one machine to another. To exploit these vulnerabilities, an attacker could create a program to send a malformed RPC message to a vulnerable system targeting the RPCSS Service. An attacker who successfully exploited these vulnerabilities could be able to run code with Local System privileges on an affected system, or could cause the RPCSS Service to fail.
Apply the appropriate patch as specified by Microsoft Security Bulletin
Note: The fix provided by this patch supersedes the one included in Microsoft Security Bulletin (MS03-026)
and (CERT-In Advisory CIAD-2003-0009 ).It includes the fix for the security vulnerability (Buffer Overrun in RPC Interface) discussed therein as well as the newly discovered vulnerabilities mentioned in this advisory.
It is strongly recommended by CERT-In that users must check their Windows based systems for critical updates regularly at
These workarounds should be considered as temporary measures as they just help block paths of attack rather than correcting the underlying vulnerability. It is recommended that patches mentioned in MS03-039 should be applied immediately.
Block UDP ports 135, 137, 138, 445 and TCP ports 135, 139, 445, 593 at firewall and disable COM Internet Services CIS and RPC over HTTP, which listen on ports 80 and 443 on the affected systems.
- Use a personal firewall such as Internet Connection Firewall only available on XP and Windows Server 2003 and disable COM Internet Services CIS and RPC over HTTP, on the affected machines, especially any machines that connect to a corporate network remotely using a VPN or similar.
- Block the affected ports using an IPSEC filter and disable COM Internet Services CIS and RPC over HTTP.
- Disable DCOM on all affected machines
When a computer is part of a network, the DCOM wire protocol enables COM objects on that computer to communicate with COM objects on other computers. DCOM can be disabled for a particular computer to help protect against this vulnerability, but doing so will disable all communication between objects on that computer and objects on other computers.
Microsoft has released a tool, which will verify whether the patch provided in MS03-039 has been applied to a system. It can be found at the following location:
Microsoft Security Bulletin MS03-039
The information provided herein is on "as is" basis, without warranty of any kind.
Email: email@example.com Phone: +91-11-2436857
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003