[NT] Vulnerability in RPC Runtime Library Allows Information Disclosure and DoS (MS04-029)

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Vulnerability in RPC Runtime Library Allows Information Disclosure and DoS 
(MS04-029)
------------------------------------------------------------------------


SUMMARY

An information disclosure and denial of service vulnerability exists when 
the RPC Runtime Library processes specially crafted messages. An attacker 
who successfully exploited this vulnerability could potentially read 
portions of active memory or cause the affected system to stop responding.

DETAILS

Vulnerable Systems:
 * Microsoft Windows NT Server 4.0 Service Pack 6a -  
<http://www.microsoft.com/downloads/details.aspx?FamilyId=AE32474A-CB72-4044-B97F-A2BAD2CD5D97>
 Download the update

 * Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 
-  
<http://www.microsoft.com/downloads/details.aspx?FamilyId=80A543A6-9D5E-4954-80CD-F706F9B284BA>
 Download the update

Immune Systems:
 * Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 
Service Pack 4
 * Microsoft Windows XP and Microsoft Windows XP Service Pack 1
 * Microsoft Windows XP Service Pack 2
 * Microsoft Windows XP 64-Bit Edition Service Pack 1
 * Microsoft Windows XP 64-Bit Edition Version 2003
 * Microsoft Windows Server 2003
 * Microsoft Windows Server 2003 64-Bit Edition
 * Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and 
Microsoft Windows Millennium Edition (ME)

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0569> 
CAN-2004-0569

Mitigating Factors for RPC Runtime Library Vulnerability
 * Firewall best practices and standard default firewall configurations 
can help protect networks from attacks that originate outside the 
enterprise perimeter. Best practices recommend that systems that are 
connected to the Internet have a minimal number of ports exposed.

Workarounds for RPC Runtime Library Vulnerability
Microsoft has tested the following workarounds. While these workarounds 
will not correct the underlying vulnerability, they help block known 
attack vectors. When a workaround reduces functionality, it is identified 
below.
 * Block the following at the firewall:
   * UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 
593
   * All unsolicited inbound traffic on ports greater than 1024
   * Any other specifically configured RPC port
   * If installed, COM Internet Services (CIS) or RPC over HTTP, which 
listen on ports 80 and 443

These ports are used to initiate a connection with RPC. Blocking them at 
the firewall will help prevent systems that are behind that firewall from 
attempts to exploit this vulnerability. Also, make sure that you block any 
other specifically configured RPC port on the remote system. We recommend 
that you block all unsolicited inbound communication from the Internet to 
help prevent attacks that may use other ports. For more information about 
the ports that RPC uses, visit the following Web site. For more 
information about how to disable CIS, see Microsoft Knowledge Base Article 
 <http://support.microsoft.com/default.aspx?scid=kb;en-us;825819> 825819.

 * Enable advanced TCP/IP filtering on systems that support this feature.
You can enable advanced TCP/IP filtering to block all unsolicited inbound 
traffic. For additional information about how to configure TCP/IP 
filtering, see Microsoft Knowledge Base Article  
<http://support.microsoft.com/default.aspx?scid=kb;en-us;309798> 309798.

 * Block the affected ports by using IPSec on the affected systems.
Use Internet Protocol Security (IPSec) to help protect network 
communications. Detailed information about IPSec and how to apply filters 
is available in Microsoft Knowledge Base Articles  
<http://support.microsoft.com/default.aspx?scid=kb;en-us;313190> 313190 
and  <http://support.microsoft.com/?id=813878> 813878.

FAQ for RPC Runtime Library Vulnerability
What is the scope of the vulnerability ?
This is an information disclosure and denial of service vulnerability. An 
attacker who successfully exploited this vulnerability could potentially 
read portions of active memory or cause the affected system to stop 
responding.

What causes the vulnerability ?
An unchecked buffer in the RPC Runtime Library.

What is Remote Procedure Call (RPC) ?
Remote Procedure Call (RPC) is a protocol that the Windows operating 
system uses. RPC provides an interprocess communication mechanism that 
allows a program that is running on one system to access services 
seamlessly on another system. The protocol is derived from the Open 
Software Foundation (OSF) RPC protocol, with the addition of some 
Microsoft-specific extensions.

What is the RPC Runtime Library ?
By default, the RPC Runtime Library is installed on all affected systems. 
The RPC Runtime Library provides services such as communication services, 
directory services, and security services to application developers. For 
more information about the RPC Runtime Library, visit the following  
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/developing_32_bit_windows_applications.asp>
 MSDN Library Web site.

What might an attacker use the vulnerability to do ?
An attacker who successfully exploited this vulnerability could cause the 
affected system to stop responding or potentially read portions of active 
memory.

Who could exploit the vulnerability ?
Any anonymous user who can deliver a series of specially crafted messages 
to the affected system could attempt to exploit this vulnerability. By 
default, this ability is enabled on the affected systems. Therefore, any 
user who can establish a connection to an affected system could attempt to 
exploit this vulnerability.

How could an attacker exploit the vulnerability ?
An attacker could exploit this vulnerability by creating a series of 
specially crafted network messages and sending the messages to an affected 
system.

An attacker could also access the affected component through another 
vector. For example, an attacker could log on to the system interactively 
or by using another program that passes parameters to the vulnerable 
component (locally or remotely).

Could the vulnerability be exploited over the Internet ?
Yes. An attacker may be able to exploit this vulnerability over the 
Internet. Firewall best practices and standard default firewall 
configurations can help protect against attacks that originate from the 
Internet. Microsoft has provided information on how you can help protect 
your PC. IT Professionals can visit the  
<http://go.microsoft.com/fwlink/?LinkId=21171> Security Guidance Center 
Web site.

What does the update do ?
The update removes the vulnerability by modifying the way that RPC Runtime 
Library validates the length of a message before it passes the message to 
the allocated buffer.

When this security bulletin was issued, had this vulnerability been 
publicly disclosed ?
No. Microsoft received information about this vulnerability through 
responsible disclosure. Microsoft had not received any information 
indicating that this vulnerability had been publicly disclosed when this 
security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any reports 
that this vulnerability was being exploited ?
No. Microsoft had not received any information indicating that this 
vulnerability had been publicly used to attack customers and had not seen 
any examples of proof of concept code published when this security 
bulletin was originally issued.

How does this vulnerability relate to the RPC vulnerabilities that are 
addressed by MS04-012 ?
Both security bulletins are related to RPC components. However, this 
update addresses a new vulnerability that was not addressed as part of 
MS04-012. MS04-012 helps protect against the vulnerabilities that are 
discussed in that bulletin, but does not address this new vulnerability. 
This update does not replace MS04-012. You must install this update and 
the update provided as part of the MS04-012 security bulletin to help 
protect your system against the vulnerabilities addressed by each security 
bulletin.


ADDITIONAL INFORMATION

The information has been provided by Microsoft Product Security.
The original article can be found at:  
<http://www.microsoft.com/technet/security/bulletin/MS04-029.mspx> 
http://www.microsoft.com/technet/security/bulletin/MS04-029.mspx



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.