Windows RPC exploit code published |
 |
By Edward Hurley, SearchSecurity.com News Writer
28 Jul 2003 | SearchSecurity.com |
|
|
Exploit code for a critical Windows RPC vulnerability was posted to several security lists late last week by a Chinese technology research group. The availability of the code would allow virtually anyone to exploit the vulnerability, which was first announced 12 days ago.
"Now that it's been disclosed, there will be many, many versions of it out there," said Russ Cooper, surgeon general of Herndon, Va.-based TruSecure Corp.
The vulnerability lies in the way Remote Procedure Call (RPC) is implemented in most versions of Windows. The flaw involves the Distributed Component Object Model (DCOM) interface with RPC, which listens on TCP/IP port 135 and other ports. When exploited via those ports, a buffer overflow is created that could allow remote attackers to run commands with the highest system privileges. The flaw is found in Windows NT, XP and 2000, as well as Windows Server 2003. Microsoft has released a patch for the flaw.
Members of Xfocus, a technology research group based in China, posted copies of the exploit code to vulnerability mailing lists over the weekend. When the flaw was announced July 16, Last Stage of Delirium, the group that discovered it, declined to release its exploit code because the flaw was so severe.
"The exploitation of this vulnerability is not trivial," members of LSD said in an e-mail interview with SearchSecurity.com. "In order to exploit this vulnerability, one would definitely require appropriate experience in working with internals of Windows operating systems."
The technical savvy required to create a worm that takes advantage of the vulnerability is much less now that the exploit code is available. Instead of having to craft the precise packets needed to trigger the buffer overflow, would-be worm writers would only have to integrate the posted code into their creations.
Since the RPC vulnerability was first announced, experts have predicted it will likely be used to create a network worm, which could infect systems without any end-user interaction. They compared it to the flaw in Microsoft's SQL Server, which was exploited by the SQL Slammer worm in January. "In both cases, there were ports open externally that never should have been," said Dan Ingevaldson, engineering director for Internet Security Systems Inc.'s X-Force.
TruSecure's Cooper suggests that users do two things to prevent exploitation: block TCP/IP port 135 and turn off DCOM. "If you can't do these, then I recommend patching your system within the next seven days," he said.
FOR MORE INFORMATION:
SearchSecurity.com news exclusive: "Microsoft patches critical RPC vulnerability in Windows"
SearchSecurity.com news exclusive: "Windows flaw ripe for worm, expert says"
Microsoft security bulletin MS03-026
FEEDBACK: Would a worm exploiting this vulnerability be bigger than Slammer?
Send your feedback to the SearchSecurity.com news team.
 |
 |
| |
RELATED CONTENT
 |
Malware, Viruses, Trojans and Spyware |
|
Schneier-Ranum Face-Off: Is antivirus dead?
|
|
Modern malware, stealthy botnets, adapt quickly, expert says
|
|
Computer worm infections up, scareware antivirus down, Microsoft says
|
|
Web-based attacks skyrocket, pirating sites surge, security firms say
|
|
Mini guide: How to remove and prevent Trojans, malware and spyware
|
|
Kaspersky system analyzes malicious URLs on Twitter for malware
|
|
Silon malware intercepts Internet Explorer sessions, steals credentials
|
|
Breach forces payroll service provider PayChoice to shut down again
|
|
RSA research underscores problem tracking cybercriminals
|
|
Conficker analysis finds P2P coding limited, less sophisticated
|
|
|
|
|
|
