SECURITY: New RPC flaw in Windows

By Matt Whipp

Posted on 15 Oct 2003 at 11:57

Security expert Integralis has warned of a new flaw discovered in Windows XP and 2000.

It exists in that apparently most fragile of technologies, the RPCSS service and the way RPC (remote procedure call) messages are handled by the DCOM (distributed component object model) element of the service. Already two vulnerabilities have been found in the service, which have been exploited to great effect by the Blaster virus.

Pete Philips, penetration tester with Integralis has advised: 'This is a new RPC issue and is notthe same as the recent MS03-026 or MS03-039. Microsoft has yet to release patches. In the meantime it would be wise to ensure that all of the [vulnerable] ports are blocked on machines facing hostile environments such as the Internet.'

This new RPC/DCOM flaw can be exploited by specially crafted data packets sent as an RPC message which could give an attacker access to a target machine with system privileges to run any code. It may also be used to simply crash the service and effectively take the machine offline.

Integralis warns that there is already publicly available code that will exploit the vulnerability and in tests has found it crashes RPCSS service on Windows 2000 and XP, even when patched with MS03-039 (Microsoft's patches issued for previous RPC flaws). Additionally, unpatched Windows 2000 systems can have code run on them.

The vulnerable ports are 135/tcp, 139/tcp, 445/tcp, 593/tcp, 135/udp, 137/udp, 138/udp and 445/udp.