|
COMMAND RPC Locator Buffer Overflow SYSTEMS AFFECTED Windows 2000/XP/NT PROBLEM In David Litchfield [david@ngssoftware.com] advisory [#NISR29012003], from NGSSoftware Insight Security Research : http://www.ngssoftware.com/rpclocator.html --snip-- When searching for RPC Services on the network a Windows RPC client will connect to the domain controller over TCP port 139/445 (the SMB ports) and search for services/servers through the "locator" named pipe. An attacker can overflow a stack based buffer in the Locator service process by searching for an overly long string for an entry name to use in looking for binding handles. This problem arises due to an unsafe call to wcscpy(). --snap-- SOLUTION Microsoft released the patch to resolve this issue last week. http://www.microsoft.com/security/security_bulletins/ms03-001.asp NGSSoftware have written a free command line scanner to locate Microsoft computers running the RPC Locator service on the network. This may be downloaded from the NGSSite. [Please note that this scanner does not test for the actual vulnerability, but rather helps locate those machines most at risk. Although sample exploit code has been provided to the vendor, due to the recent events of last weekend, NGSSoftware are loathe to publish this publicly at this juncture - however we may after a grace period.] http://www.ngssoftware/rpclocator.html A check for this issue is already in Typhon, NGSSoftware's advanced vulnerability assessment scanner, of which more information is available from the NGSSite, http://www.ngssoftware.com.