Microsoft late Wednesday confirmed a denial-of-service flaw in its implementation of the RPC (Remote Procedure Call) protocol and warned users that a working exploit is already publicly available.
Microsoft Corp. countered the public disclosure of the vulnerability with an advisory that clarify the scope of the impact and to provide pre-patch workaround for Windows users.
Microsoft advisory comes a few days after the proof-of-concept exploit code appeared on several security Web sites, including SecuriTeam.com, FrSIRT.com and Virus.org.
Microsoft acknowledged the bug affected its Windows 2000 Service Pack 4 and Windows XP Service Pack 1 operating systems. “This vulnerability could allow an attacker to levy a denial of service attack of limited duration,” the companys advisory warned.
Windows XP Service Pack 2 and Windows Server 2003 (with SP1) are unaffected.
On Windows XP Service Pack 1, a successful exploit requires that the attacker have valid logon credentials. Microsoft insists the vulnerability cannot be exploited remotely by anonymous users but noted than an affected component is available remotely to users who have standard user accounts.
Even as Microsoft is downplaying the extent of the flaw, security experts are debating whether theres more than just a simple RPC implementation issue.
“This bug is much wider scoped than most people realize, a friend of mine found it when writing his muddle implementation a few months ago. You can trigger it about 12 different ways on Win2000 and at least 2 different ways on XP,” said H.D. Moore, creator of the Metasploit Project.
In a message posted on the Daily Dave mailing list, Moore described the bug as “pretty silly” and warned that it can be used to exploit out-of-memory conditions in other services. Moore also suggested there are attack vectors in a function in the “Server” service on Windows XP SP2.
Any flaw in Microsofts implementation of RPC is bound to raise eyebrows. The RPC protocol is used in Windows to provide an inter-process communication mechanism that allows a program that is running on one computer to seamlessly access services on another computer.
It was an RPC-related vulnerability that was exploited in the widespread Blaster worm in 2003.
This time around, Microsoft maintains the risk is simply a “denial of service condition of limited duration.”
Workarounds:
To help protect against anonymous network-based connection attempts to exploit the flaw, Microsoft suggests that users configure the RestrictAnonymous registry setting to a more restrictive setting.
Additionally, users can block UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593. All unsolicited inbound traffic on ports greater than 1024 and any other specifically configured RPC port should be blocked.
If installed, COM Internet Services (CIS) or RPC over HTTP, which listen on ports 80 and 443 should also be blocked to avoid a potential attack.
Detailed instructions on port blocking can be found Microsofts advisory.