Several groups are working on an exploit for this vulnerability. Expect
a working exploit to be published and used within the next few days. We
did compile a set of power point slides for IT managers to illustrate
the most important facts of this issue:
This vulnerability is NOT PATCHED by the RPC DCOM patch (MS03-026)
The RPCSS patch (MS03-039) has been made available on Sept. 10th
(Wednesday). No patch prior to this date fixed this issue. While this is
an RPC issue, it is a new and different issue as the one released in July.
You must patch as soon as possible
We expect an exploit in widespread use shortly. At this point, you
should be able to patch while assuming that the machine has not yet been
compromised. However, within a few days this may no longer be the case
and you will have to validate the system's integrity.
The patch for MS03-039 (RPCSS) does include the july patch for MS03-026
There are two workarounds. You can avoid exploitation by this
vulnerability by applying firewall rules. In particular if you are using
a host based ("Personal") firewall. For network firewalls, make sure no
hosts are moved into the same zone with unpatched machines. We recommend
setting up a "laptop quarantine" to avoid the introduction of malware
from the outside of the network.
In order to protect unpatched systems, you should close the following ports:
UDP 135, 137, 138, 445
TCP 135, 139, 445, 593
Other ports may be used as well depending on additional components you
may have installed. In particular if you are using COM Internet Services
(CIS) and RPC over HTTP, you need to close port 80 and 443 inbound.
To disable RPC, see this
Update Vulnerability Scanners
Scanners for the old RPC vulnerability will not recognize this new
vulnerability, and may detect false positives for patched systems.
Update to the most recent versions of your scanner.
Links and Further Information
Microsoft Bulletin (Consumer version):
Microsoft Bulletin (Technical Details):
Details about RPC:
Symbolic.it (Italian and
(1) CRITICAL: Microsoft RPC DCOM Multiple Vulnerabilities
[Acting on this vulnerability immediately is absolutely critical.
Incidents.Org has a useful PowerPoint presentation and description at
Windows NT4/2000/XP and Server 2003
Microsoft has released a new security bulletin that supercedes MS03-026.
The new bulletin addresses additional buffer overflow vulnerabilities
in the RPC DCOM service that can be exploited to execute arbitrary code
with SYSTEM privileges, and also patches a denial of service
vulnerability discovered last July. Exploit code for the DoS problem
has been publicly available since its discovery a few months ago.
Technical details have been published concerning the new "long filename"
buffer overflow, and rumors indicate that proof of concept exploits are
in circulation within the attacker community.
Status: Patch available in the MS03-039 security bulletin.
Council Site Actions:
All council sites responded to this new DCOM vulnerability and an urgent
basis. Most sites began patching on an emergency basis and some have
One site reported they are actively scanning their networks for
vulnerable systems using tools from Eeye and Microsoft and Nessus. Once
a vulnerable system is identified, the departmental contact is notified
and the machine is placed on a watch list. At the first sign of trouble,
the machine is disconnected from the net until it is patched via a CD
containing the appropriate Microsoft patches.
Another site (with 10,000 vulnerable machines) reported they began
correcting this problem within 15 minutes of learning about the
vulnerability. They estimate they have spent thousands of staff hours
on patching, assessment, and publicity efforts. They sent e-mail to all
of their user accounts, and made telephone calls to hundreds of system
administrators whom they suspected had one or more un-patched machines.
They created a new team that had not worked on vulnerability scanning
before, and asked them to scan all machines at their site using
Microsoft's KB824146scan.exe tool. Despite all of their efforts they
are still unsure of whether the scanning process has identified the
majority of their vulnerable machines. They have informed users that
vulnerable machines will have their network access disconnected, but
remain undecided about whether they will actually address the remaining
vulnerable machines via disconnection, or whether they will continue to
rely on publicity and administrative authority to ensure that all
required patch tasks are completed.
Microsoft Security Bulletins
CERT Advisories and Vulnerability Notes
Exploit for DoS by Benjurry of Xfocus
Technical Details of New Buffer Overflow by Dave Aitel
Possible Proof of Concept Exploit for New Buffer Overflow
Previous CVA Postings
http://archives.neohapsis.com/archives/sans/2003/0101.html (item #2)
http://archives.neohapsis.com/archives/sans/2003/0105.html (item #8)
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]