Windows RPC DCOM Interface Buffer Overflow Vulnerability - Secunia Advisories - Vulnerability Intelligence

Windows RPC DCOM Interface Buffer Overflow Vulnerability
Secunia Advisory:	SA9287	Advisory Toolbox: Issue ticket Save in to-do list Mark as handled Exploit information Download as PDF Review actions Add comment
Release Date:	2003-07-16
Last Update:	2003-09-23
Popularity:	19,916 views

Critical:	Moderately critical
Impact:	System access
Where:	From local network
Solution Status:	Vendor Patch

OS:	Microsoft Windows 2000 Advanced Server Microsoft Windows 2000 Datacenter Server Microsoft Windows 2000 Professional Microsoft Windows 2000 Server Microsoft Windows NT 4.0 Server Microsoft Windows NT 4.0 Server, Terminal Server Edition Microsoft Windows NT 4.0 Workstation Microsoft Windows Server 2003 Datacenter Edition Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server 2003 Standard Edition Microsoft Windows Server 2003 Web Edition Microsoft Windows XP Home Edition Microsoft Windows XP Professional

Subscribe:	Instant alerts on relevant vulnerabilities

CVE reference:	CVE-2003-0352

Description: A vulnerability has been identified in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. The cause of the vulnerability is twofold. The RPC service performs inadequate input validation before passing data to a DCOM (Distributed Component Object Model) interface. This interface has a boundary error in the "CoGetInstanceFromFile" API when handling the "szName" parameter, which can be exploited by sending a RPC packet containing an overly long, specially crafted filename. Successful exploitation may cause a buffer overflow allowing execution of arbitrary code on the vulnerable system with "LocalSystem" privileges. It has been reported that this vulnerability may be exploited through the following ports: 135/udp, 135/tcp, 139/tcp, 445/tcp, 593/tcp Depending on your configuration, other RPC enabled ports could possibly open attack vectors too. Solution: Apply patch via WindowsUpdate or manually (NOTE: Reportedly, the patch for Windows 2000 doesn't fix the vulnerability adequately). Windows NT 4.0 (requires SP6a installed): http://microsoft.com/downloads/detail...-BDBF-DF77A0B9303F&displaylang=en Windows NT 4.0 Terminal Server Edition (requires SP6 installed): http://microsoft.com/downloads/detail...-A3C1-C9FAD2DC65CA&displaylang=en Windows 2000 (requires SP3 or SP4 installed): http://microsoft.com/downloads/detail...-8C9F-220354449117&displaylang=en Windows XP 32 bit Edition: http://microsoft.com/downloads/detail...-9532-3DE40F69C074&displaylang=en Windows XP 64 bit Edition: http://microsoft.com/downloads/detail...-80E3-C347ADCC4DF1&displaylang=en Windows Server 2003 32 bit Edition: http://microsoft.com/downloads/detail...-9009-3A212458E92E&displaylang=en Windows Server 2003 64 bit Edition: http://microsoft.com/downloads/detail...-995F-017E35692BC7&displaylang=en Provided and/or discovered by: The Last Stage of Delirium Research Group Changelog: 2003-07-17: Reference to CERT vulnerability note added. 2003-07-18: Error in "Solution" corrected. The patch for Windows NT 4.0 also covers Workstation even though this version is no longer supported (see "Other References"). Also, the links to patches for Windows NT 4.0 and Windows NT 4.0 Terminal Server Edition were accidently switched. 2003-07-23: Updated information regarding ports, which could open for an attack. 2003-07-30: Multiple sources report that the patch for Windows 2000 may not adequately fix the vulnerability. 2003-09-23: Updated "Description" section adding more details. Original Advisory: http://www.microsoft.com/technet/security/bulletin/MS03-026.asp Other References: Windows NT 4.0 Workstation end of life announcement: http://support.microsoft.com/default.aspx?scid=fh;[LN];LifeAn5 CERT vulnerability note: http://www.kb.cert.org/vuls/id/568148

Track this Secunia Advisory
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released. Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.

About this Secunia Advisory
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.

Latest Advisories

2nd Dec, 2008

New advisories:	14
New vulnerabilities:	21
Updated advisories:	26

Less // 393 views

Linksys WRT160N Cross-Site Scripting Vulnerability

Less // 374 views

IBM Rational ClearQuest Multiple Vulnerabilities

Not // 298 views

Debian update for flamethrower

Not // 287 views

flamethrower Insecure Temporary Files

Less // 345 views

IBM Rational ClearCase Cross-Site Scripting Vulnerability

Not // 334 views

DAHDI "ZT_SPANCONFIG" IOCTL Privilege Escalation Vulnerability

Not // 328 views

Zaptel "ZT_SPANCONFIG" IOCTL Privilege Escalation Vulnerabilities

Moderately // 317 views

Rumpus Multiple Vulnerabilities

Less // 332 views

bcoos "cid" SQL Injection Vulnerability

Moderately // 348 views

ASP Portal "ASPPortal.mdb" Database Disclosure Security Issue

Solutions | More...

Send Feedback to Secunia
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com. Ideas, suggestions, and other feedback are most welcome.