Long-anticipated exploit code targeting the most recent Microsoft RPC vulnerabilities is circulating and can cause a denial-of-service on even patched Windows XP/2000 systems, experts say.
"The published exploit can carry out a denial of service across a range of versions, levels and language versions of Microsoft Windows 2000 and XP, and achieves remote code execution on unpatched systems, says an advisory from the U.K. National Infrastructure Security Co-ordination Centre (NISCC). "The 'universal' nature of the exploit may assist the development of a worm incorporating some of the attack techniques."
"While the current code can only inflict a DoS condition on the target system, it's conceivable that it could be modified in a manner that will permit the execution of arbitrary code," says Aaron Schaub, a security analyst at managed security services provider TruSecure Corp. in Herndon, Va.
The code exploits a slight variant in the RPCSS (the Remote Procedure Call portmapper, which directs traffic for different services using RPC) vulnerability documented in Microsoft Security Bulletin MS03-039.
NISCC strongly recommends that all RPC calls are blocked at the organizational perimeter. Destination TCP/UDP ports 135-139, 445 and 593 should be blocked both inbound and outbound.
A patch was released to correct the "Buffer Overrun In RPCSS Service Could Allow Code Execution" (MS03-039) vulnerabilities; which deal with RPC messages for DCOM activation. According to Microsoft, two of the flaws could allow arbitrary code execution; and the third could result in a denial of service. The flaws affect Windows NT 4/2000/XP/Server 2003 and result from incorrect handling of malformed messages.
Many security experts have speculated that the release of a worm using this code could come at any time. In August, the prolific Blaster worm ripped through networks worldwide by exploiting a similar RPC/DCOM vulnerability for which a patch had been released more than three weeks before.