Windows RPC exploit code published

Subject: Windows RPC exploit code published
From: Gary Stoneburner <gary.stoneburner@nist.gov>
Date: Tue, 29 Jul 2003 08:19:36 -0400
Content-Type: multipart/alternative; boundary="=====================_308092171==.ALT"

re: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci916409,00.html

"Exploit code for a critical Windows RPC vulnerability was posted to several security lists late last week by a Chinese technology research group. The availability of the code would allow virtually anyone to exploit the vulnerability, which was first announced 12 days ago.

"Now that it's been disclosed, there will be many, many versions of it out there," said Russ Cooper, surgeon general of Herndon, Va.-based TruSecure Corp.

The vulnerability lies in the way Remote Procedure Call (RPC) is implemented in most versions of Windows. The flaw involves the Distributed Component Object Model (DCOM) interface with RPC, which listens on TCP/IP port 135 and other ports. When exploited via those ports, a buffer overflow is created that could allow remote attackers to run commands with the highest system privileges. The flaw is found in Windows NT, XP and 2000, as well as Windows Server 2003. Microsoft has released a patch for the flaw.

Members of Xfocus, a technology research group based in China, posted copies of the exploit code to vulnerability mailing lists over the weekend. When the flaw was announced July 16, Last Stage of Delirium, the group that discovered it, declined to release its exploit code because the flaw was so severe.

...

TruSecure's Cooper suggests that users do two things to prevent exploitation: block TCP/IP port 135 and turn off DCOM. "If you can't do these, then I recommend patching your system within the next seven days," he said."

Cheers,
Gary

************************************************************************** * Opinions expressed are not intended to reflect an official position ************************************************************************** * Gary Stoneburner
* Computer Security Division, National Institute of Standards & Technology
* 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899-8930
* Phone: 301-975-5394, FAX: 301-948-0279, Email: Stoneburner@nist.gov
* http://csrc.nist.gov/staff/stoneburner/gshome.html
**************************************************************************

Prev by Date: Microsoft reveals 'critical' flaw
Next by Date: Microsoft spreads Windows source code
Prev by thread: Microsoft spreads Windows source code
Next by thread: Microsoft reveals 'critical' flaw

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov