[Dshield] New Microsoft Windows RPC vulnerability

wbeckham wbeckham at yahoo.com
Wed Sep 10 17:33:42 GMT 2003

I got this from TruSecure.

Microsoft has released a security bulletin, MS 03-039 that addresses a
vulnerability in the RPC/DCOM, similar to that responsible for the MS
Blaster/Lovsan event.  In this case it may be possible to use Internet
services as an attack vector including port 80 traffic.  RPC over HTTP is a
protocol for using port 80 (destination) and ephemeral
(source) for performing RPC calls across the Internet. If enabled, clients
initiate a call to a port 80-based RPC server and receive the RPC
instructions over whatever source port they used.

This vulnerability could allow a remote user to execute arbitrary code under
the Local System privilege.

The Microsoft tool that can be used to scan a network for the presence of
either the MS 03-026 patch, may report inconsistent findings if the MS
03-039 patch has been installed.  However,  the MS 03-039 patch supercedes
the MS 03-026 patch, and should be used in lieu of the MS 03-026 patch.

While there are not yet exploits in the wild, proactively applying this
patch may prevent another Loosen type of worm outbreak.

Mitigating factors:
- - TruSecure's default-deny essential practice, of blocking all unnecessary
ports both inbound and outbound will help to mitigate an exploit of this

- - Applying the patch referenced in MS 03-039

- - Other mitigations and recommendations will be provided as TruSecure
learns more about the changing risk that this bulletin may impact.

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Keith Bergen
Sent: Wednesday, September 10, 2003 10:13 AM
To: General DShield Discussion List
Subject: Re: [Dshield] New Microsoft Windows RPC vulnerability

What exactly is the update. All Microsoft says is that it is 
a security update to a fault that would allow somebody to run 
code. I don't see anything there that explains what exactly 
they are patching.


---- Original message ----
>Date: Wed, 10 Sep 2003 12:56:10 -0400
>From: "Johannes B. Ullrich" <jullrich at sans.org>
>Subject: [Dshield] New Microsoft Windows RPC vulnerability  
>To: list at dshield.org
>MSFT just released a new bulletin:
>Happy patching.
>(To celebrate this, I will allow a few anti MSFT, pro Linux 
>SANS - Internet Storm Center
>PGP Key: http://isc.sans.org/jullrich.txt
>signature.asc 1k bytes
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 

list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list