Exploit code for a critical Windows RPC vulnerability was posted to several security lists late last week by a Chinese technology research group. The availability of the code would allow virtually anyone to exploit the vulnerability, which was first announced 12 days ago.
"Now that it's been disclosed, there will be many, many versions of it out there," said Russ Cooper, surgeon general of Herndon, Va.-based TruSecure Corp.
The vulnerability lies in the way Remote Procedure Call (RPC) is implemented in most versions of Windows. The flaw involves the Distributed Component Object Model (DCOM) interface with RPC, which listens on TCP/IP port 135 and other ports. When exploited via those ports, a buffer overflow is created that could allow remote attackers to run commands with the highest system privileges. The flaw is found in Windows NT, XP and 2000, as well as Windows Server 2003. Microsoft has released a patch for the flaw.
Members of Xfocus, a technology research group based in China, posted copies of the exploit code to vulnerability mailing lists over the weekend. When the flaw was announced July 16, Last Stage of Delirium, the group that discovered it, declined to release its exploit code because the flaw was so severe.
"The exploitation of this vulnerability is not trivial," members of LSD said in an e-mail interview with SearchSecurity.com. "In order to exploit this vulnerability, one would definitely require appropriate experience in working with internals of Windows operating systems."
The technical savvy required to create a worm that takes advantage of the vulnerability is much less now that the exploit code is available. Instead of having to craft the precise packets needed to trigger the buffer overflow, would-be worm writers would only have to integrate the posted code into their creations.
Since the RPC vulnerability was first announced, experts have predicted it will likely be used to create a network worm, which could infect systems without any end-user interaction. They compared it to the flaw in Microsoft's SQL Server, which was exploited by the SQL Slammer worm in January. "In both cases, there were ports open externally that never should have been," said Dan Ingevaldson, engineering director for Internet Security Systems Inc.'s X-Force.
TruSecure's Cooper suggests that users do two things to prevent exploitation: block TCP/IP port 135 and turn off DCOM. "If you can't do these, then I recommend patching your system within the next seven days," he said.
FOR MORE INFORMATION:
FEEDBACK: Would a worm exploiting this vulnerability be bigger than Slammer?
Send your feedback to the SearchSecurity.com news team.