MSRPC: DCOM Exploit (2)

This signature detects attempts to exploit a known vulnerability in Microsoft Windows Remote Procedure Call (RPC) system. Windows 2000 and XP are vulnerable. RPC is an operating system component that enables remote computers to request actions or services. For example, file and print sharing from the local Windows system. Attackers, using dcom.c can send too much data to the RPC process, causing the local system to grant full access to the remote computer. The W32.Blaster and Nachi/Welchia worms can also be detected or blocked using this signature.

Extended Description

A buffer overrun vulnerability has been reported in Microsoft Windows that can be exploited remotely via a DCOM RPC interface that listens on TCP/UDP port 135. The issue is due to insufficient bounds checking of client DCOM object activation requests. Exploitation of this issue could result in execution of malicious instructions with Local System privileges on an affected system. This issue may be exposed on other ports that the RPC Endpoint Mapper listens on, such as TCP ports 139, 135, 445 and 593. This has not been confirmed. Under some configurations the Endpoint Mapper may receive traffic via port 80. ** There have been unconfirmed reports that Windows 9x systems with certain software installed may also be vulnerable to this issue. Reportedly, Windows 98 systems with .NET software installed may be vulnerable according to scans using various DCOM RPC vulnerability scanning tools. Symantec has not confirmed this behaviour and it may in fact be due to false positives generated by the scanners.

Affected Products

Cisco sn_5420_storage_router,Cisco call_manager

References

BugTraq: 8205

CVE: CVE-2003-0352

URL: http://www.kb.cert.org/vuls/id/568148 http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

Short Name

MS-RPC:DCOM:EXPLOIT-2

Severity

Critical

Recommended

False

Recommended Action

Drop

MSRPC: DCOM Exploit (2)

Extended Description

Affected Products

References

Found a potential security threat?