| VID |
12044 |
| Severity |
40 |
| Port |
135 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The Windows system is vulnerable to DoS and privilege escalation vulnerability in RPC DCOM Interface.
Windows 2000 system with SP3 or SP4 and Windows 2003 Server are affected by a denial of service vulnerability that occurs in a part of RPC that deals with message exchange over TCP/IP. The vulnerability results due to incorrect handling of malformed messages. To exploit this vulnerability, a remote attacker can sends a malformed messages to DCOM __RemoteGetClassObject interface, which can cause the RPC Service to be crashed, and all service and application depending on RPC service to be abnormal. If a remote attacker have an account, he can hijack epmapper pipe and 135 port Privilege Escalation after RPC service is crash.
* Note: The RPC service of the Windows system will have been crashed by a this check. Therefore rebooting the system is required in order to regain normal functionality.
* References:
http://www.securityfocus.com/archive/1/329755
http://archives.neohapsis.com/archives/bugtraq/2003-07/0255.html
* Platforms Affected:
Windows 2000 SP3, SP4
Windows 2003 Server |
| Recommendation |
Apply the appropriate patch for your system, as listed in Microsoft's security bulletin MS03-039 at http://www.microsoft.com/technet/security/bulletin/ms03-039.asp
-- OR --
Patches for Windows platforms are also available from the Microsoft Windows Update Web site, http://windowsupdate.microsoft.com . Windows Update detects what version of Windows you are running and offers the appropriate patch.
Workarounds:
Block the port 135(139,445,593) at your firewal.
For Windows XP or Windows Server 2003, you can use the Internet Connection Firewall to block inbound RPC traffic from the Internet by default.
-- OR --
Disable DCOM on all affected machines.
1. Run Dcomcnfg.exe via Run from Start menu.
For Windows XP or Windows Server 2003, perform these additional steps:
1) Click on the Component Services node under Console Root and Open the Computers sub-folder.
2) For the local computer, right click on My Computer and choose Properties.
3) For a remote computer, right click on the Computers folder and choose New then Computer.
Enter the computer name. Right click on that computer name and choose Properties.
2. Choose the <Default Properties> tab.
3. Select (or clear) the "Enable Distributed COM on this Computer" check box.
If service is disabled, all communication between objects on that computer and objects on other computers will be disabled. If you disable DCOM on a remote computer, you will not be able to remotely access that computer afterwards to re-enable DCOM. To re-enable DCOM, you will need physical access to that computer. |
| Related URL |
CVE-2003-0715,CVE-2003-0528,CVE-2003-0605 (CVE) |
| Related URL |
8458 (SecurityFocus) |
| Related URL |
12679 (ISS) |
|
