http://support.microsoft.com/?kbid=331953

http://www.microsoft.com/taiwan/security/bulletins/MS03-010.asp

Microsoft 安全性公告 MS03-010 列印


RPC 端點對應程式中的問題，可能會引來拒絕服務的攻擊 (331953)
原始張貼時間：2003 年 3 月 26 日

摘要
應該閱讀此公告的對象：使用 Microsoft® Windows® NT 4.0, Windows 2000 或 Windows XP 的客戶。

這個弱點的衝擊：拒絕服務。

最高的嚴重性等級：中度嚴重。

受影響的軟體：

Windows NT 4.0
Windows 2000
Windows XP

技術詳細資料
技術說明：


遠端程序呼叫 (RPC) 是 Windows 作業系統所使用的通訊協定。RPC 提供了程序間的通訊機制，讓電腦上執行的程式可以不著痕跡地執行遠端系統上的程式碼。這個通訊協定本身是從 OSF (開放軟體基金會，Open Software Foundation) RPC 通訊協定衍生而來的，另外加入了一些 Microsoft 的特定擴充功能。

在 RPC 的部份有一個弱點，與透過 TCP/IP 的訊息交換有關。造成這個問題的原因是格式錯誤的訊息處理不當。這類型的攻擊主要是以聆聽 TCP/IP 連接埠 135 的 RPC 端點對應處理程序為目標，RPC 端點對應程式可以讓 RPC 用戶端判斷出目前指定給特定 RPC 服務的連接埠號碼。

攻擊者必須建立 TCP/IP 連線，連接到遠端電腦上的目標處理程序，以利用這個弱點。建立連線之後，攻擊者就會開始進行 RPC 連線協商，然後傳輸格式錯誤的訊息。這時遠端電腦上的處理程序就無法執行，這個處理程序是負責使用 RPC 保存電腦上所有處理程序的連線資訊。由於端點對應程式是在 RPC 服務內執行，利用這個弱點就會造成 RPC 服務失敗，同時也會造成伺服器所提供的任何 RPC 服務一併失敗，以及喪失某些 COM 功能。

緩和因素：

若要執行這類型的攻擊，攻擊者必須能夠連線到目標電腦上執行的端點對應程式。這是內部網路環境的一般狀況，但是對於連線到網際網路的電腦而言，端點對應程式所使用的連接埠通常會遭到防火牆的封鎖。在未經封鎖的情況或內部網路環境中，攻擊者就不需要任何其他的權限。
最佳的防範措施就是封鎖所有未實際使用的 TCP/IP 連接埠。如此一來，大多數連線到網際網路的電腦都會封鎖連接埠 135。在網際網路這類可能受到攻擊的環境中，不應該使用 RPC over TCP。RPC 為這類型的環境提供了更穩定的通訊協定，例如 RPC over HTTP。若要進一步了解如何保護用戶端和伺服器的 RPC，請參閱這篇文章。若要進一步了解連接埠，請參閱以下網頁：http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/reskit/tcpip/part4/tcpappc.asp。
這個弱點只會允許拒絕服務這類型的攻擊，並不會讓攻擊者肆意修改或擷取遠端電腦上的資料。
位於 ISA 後面的內部 RPC 伺服器不會遭受這種攻擊。
嚴重性等級： Windows NT 4.0 中度嚴重
Windows NT 4.0, Terminal Server Edition 中度嚴重
Windows 2000 中度嚴重
Windows XP 中度嚴重
以上 評估 是根據受該弱點影響的系統類型、其典型部署模式以及利用該弱點對各系統所產生的效果。

弱點識別碼： CAN-2002-1561

已測試的版本：
Microsoft 測試了 Windows NT、Windows 2000 和 Windows XP，以評估這些系統是否會受這個弱點的影響。舊版本已不再受支援，而且不一定會受這個弱點的影響。


常見問題集
這個弱點的範圍為何?

這個弱點會造成拒絕服務。如果攻擊者成功利用這個弱點，就會造成遠端電腦無法運作。不過，攻擊者無法修改或擷取遠端電腦上的資料。

要執行這類拒絕服務的攻擊，攻擊者必須和目標電腦上執行的端點對應程式建立 TCP/IP 連線。攻擊者可以建立一個網站，收集目標電腦的 IP 位址，然後針對這些電腦發動攻擊。建立 TCP 連線之後，攻擊者就可以將格式錯誤的訊息傳送到 RPC 服務，進而造成目標電腦無法運作。

對於來自網際網路的遠端 RPC 攻擊，最佳的防範措施就是將防火牆設定為封鎖連接埠 135。在網際網路這類可能受到攻擊的環境中，不應該使用 RPC over TCP。除此之外，攻擊者無法在目標電腦上擷取任何資料或執行程式碼。

造成這個弱點的原因為何？
造成弱點的原因是，在 RPC 建立導致遠端電腦處理程序無法執行的連線後，Microsoft 的 RPC 端點對應程式無法正常檢查輸入的訊息。這個處理程序是負責使用 RPC 保存電腦上所有處理程序的連線資訊，由於端點對應程式是在 RPC 服務內執行，利用這個弱點就會造成 RPC 服務失敗，同時也會造成伺服器所提供的任何 RPC 服務一併失敗，以及喪失某些 COM 功能。

什麼是 RPC (遠端程序呼叫)？
遠端程序呼叫 (RPC) 是一個通訊協定，程式可以利用這個通訊協定，向網路中另一部電腦上的程式要求服務。RPC 對於互通性很有幫助，因為使用 RPC 的程式並不需要了解網路的細節。發出要求的程式就是用戶端，而提供服務的程式則是伺服器。

什麼是 RPC 端點對應程式？
RPC 端點對應程式可以讓 RPC 用戶端判斷出目前指定給特定 RPC 服務的連接埠號碼。端點就是伺服器應用程式聆聽用戶端遠端程序呼叫的硬體連接埠或具名管道。用戶端/伺服器架構的應用程式可以使用任何一種熟知或動態的應用程式。

Microsoft 的遠端程序呼叫 (RPC) 實作有何問題？
RPC 在透過 TCP/IP 交換訊息方面有一項瑕疵。造成這個問題的原因是格式錯誤的訊息處理不當。這類型的攻擊以聆聽 TCP/IP 連接埠 135 的 RPC 端點對應處理程序為目標，RPC 端點對應程式可以讓 RPC 用戶端判斷出目前指定給特定 RPC 服務的連接埠號碼。攻擊者只要傳送格式錯誤的 RPC 訊息，就可能造成電腦無法運作。

這個弱點可能讓攻擊者採取什麼動作？
這個弱點可以讓攻擊者透過網際網路或是在內部網路環境中，發動拒絕服務攻擊。儘管攻擊者可能造成電腦無法運作，但是並不能擷取資料或執行程式碼。

攻擊者如何利用這個弱點？
攻擊者可以在遠端尋找利用這個弱點的機會 (例如建立網頁)，收集電腦的 IP 位址，然後針對這些電腦發動攻擊。如果攻擊者要透過網際網路執行這項攻擊，目標電腦上的連接埠 135 必須要開放，而且RPC 服務必須正在使用中。

修補程式的作用何在？
修補程式會確認從 TCP/IP 連線所收到受影響的訊息，藉此消除這個弱點。基本上，就是讓 RPC 拒絕格式錯誤的訊息。

















































修補程式可用性
此修補程式的下載位置 產品名稱 中文版 英文版
Microsoft Windows 2000
Windows XP 32-bit Edition
Windows XP 64-bit Edition


關於此修補程式的其他資訊
安裝平台：

Windows 2000 的修補程式可以安裝在執行 Windows 2000 Service Pack 2 或 Service Pack 3 的系統上。
Windows XP 的修補程式可以安裝在執行 Windows XP Gold 或 Service Pack 1 的系統上。

未來 Service Pack 的內容：

此問題的修正將包含在 Windows 2000 Service Pack 4 和 Windows XP Service Pack 2 中。

需要重新開機：是。

修補程式是否可以解除安裝：是。

取代的修補程式：無。

確認修補程式的安裝：

Windows 2000:
若要確認修補程式是否已經安裝在電腦上，請確認電腦上是否已建立下列登錄機碼：HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q331953。

若要確認個別檔案，請使用下列登錄機碼中所提供的日期/時間和版本資訊：HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q331953\Filelist。

Windows XP:
如果安裝在 Windows XP Gold 上：
若要確認是否已經安裝修補程式，請確認電腦上是否已建立下列登錄機碼：HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q331953。

若要確認個別檔案，請使用下列登錄機碼中所提供的日期/時間和版本資訊：HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q331953\Filelist。


如果安裝在 Windows XP Service Pack 1 上：
若要確認是否已經安裝修補程式，請確認電腦上是否已建立下列登錄機碼：HKLM\Software\Microsoft\Updates\Windows XP\SP2\Q331953。

若要確認個別檔案，請使用下列登錄機碼中所提供的日期/時間和版本資訊：HKLM\Software\Microsoft\Updates\Windows XP\SP2\Q331953\Filelist。

警告：
Microsoft 已經測試過 Windows NT 4.0 和 Windows NT 4.0 Terminal Server Edition。這些平台很容易遭受到拒絕服務攻擊，但由於編譯器中的限制，建議客戶參考下列幾項原則：


在防火牆處封鎖連接埠 135。
檢查使用 RPC 的應用程式並實作安全 RPC。
如果是透過網際網路使用 RPC 的應用程式，請實作 RPC over HTTP。
使用 Microsoft ISA Server 的客戶應將 RPC 伺服器放在 ISA 防火牆的後面。
客戶可以在下列網站取得詳細資訊：http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/best_rpc_programming_practices.asp。

本地化：
此修補程式的當地語系化版本，可以在「修補程式可用性」中所提到的位置取得。

取得其他安全性修補程式：
其他安全性問題的修補程式可以從下列位置取得：

安全性修補程式可以從 Microsoft Download Center 取得，而且只要執行 security_patch 關鍵字的搜尋就能輕鬆地找到該修補程式。
消費者平台的修補程式可以從 WindowsUpdate 網站取得。
其他資訊：
感謝：
Microsoft 感謝 Mike Fratto 此問題報告給我們，並與我們合力保護客戶。

支援：

Microsoft Knowledge Base 文件 331953 會探論此問題，並且將在此公告發行後大約 24 小時提供參考。Knowledge Base 文章可以在 Microsoft 線上支援 網站上找到。
技術支援可以從 Microsoft 產品支援服務取得。有關安全性修補程式的支援電話不另外計費。
安全性資源： Microsoft TechNet Security 網站提供有關 Microsoft 產品安全性的其他資訊。

免責聲明：
Microsoft Knowledge Base 中所提供的資訊係依「現況」提供，不附帶任何擔保。Microsoft 並不提供任何明示或默示之擔保，包括商業適售性及特定用途之適用性。有關 Microsoft Knowledge Base 中所提供的資訊所產生之任何相關損害，包含直接、間接、附隨性、衍生性損害、營業利益損失、懲罰性損害或特別損失，Microsoft Corporation 或其供應商均不負賠償責任，即使 Microsoft Corporation或其供應商已被告知上述損害發生之可能時亦同。由於某些國家不允許對衍生性或附隨損害賠償責任為任何排除或限制，因此，上述限制規定可能不適用於貴用戶。

修訂：


V1.0 (2003 年 3 月 26 日)：公告建立。

贊助商連結

WindowsXP-KB823980-x86-CHT.exe


http://download.microsoft.com/download/2/3/6/236eaaa3-380b-4507-9ac2-6cec324b3ce8/WindowsXP-KB823980-x86-CHT.exe

TW-CA-2003-076-[ Microsoft Security Bulletin MS03-026: Buffer Overrun In RPC Interface Could Allow Code Execution (823980) ]

--------------------------------------------------------------------------------

TWCERT發布日期： 2003-07-29
原漏洞發布日期： 2003-07-21
分類： Gain Priviledge。

來源參考： Microsoft Security Bulletin MS03-026


--------------------------------------------------------------------------------
簡述
--------------------------------------------------------------------------------

誰應該閱讀此篇文件： 使用Microsoft® 作業系統的使用者
受影響的地方 ： 執行攻擊者的程式碼
風險值 ： 緊急
建議 ： 系統管理者立即安裝修補程式。


有關此修正程式的相關資訊可以參考下列的網址：
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp



--------------------------------------------------------------------------------
說明
--------------------------------------------------------------------------------

Remote Procedure Call (RPC，遠端程序呼叫)，是微軟的作業系統所使用的協定之一。
RPC提供程序間的溝通機制(inter-process communication mechanism)，這項機制允許
一個在本地端電腦上執行的程式，能夠無異於在本地端執行程式般地在遠端電腦上執行
程式。微軟RPC這項協定本身是源自於開放性軟體基金會(OSF, Open Software Foundation)
的RPC協定，但是再多增加一些微軟特有的功能擴充。

目前，RPC在處理利用TCP/IP通訊協定交換訊息的部分存在一項弱點。這弱點是起因於未能
正確地處置格式錯誤之訊息(malformed messages)所引起的。而這項特有的弱點會影響到
RPC的DCOM(Distributed Component Object Model (DCOM)，分散式元素物件模組)界面，該
界面會傾聽一些啟動RPC的通訊埠，用來處理客戶端機器送給伺服器端的DCOM物件之「啟動
(activation)」請求。若攻擊者可以成功地攻擊這項弱點，那麼就可以在受弱點影響的系統
上以Local System權限執行程式碼。之後，攻擊者就可以在系統上執行任何動作，包括安裝
程式，檢視、修改或刪除資料，或是建立新的完整權限的帳戶。

為了攻擊這項弱點，攻擊者需要送一個特殊格式的要求給遠端電腦上啟用RPC的特定通訊
埠。

弱點減緩因素：
- 為了攻擊這項弱點，攻擊者需要具備發送特殊製作的要求的能力給遠端已開啟135、139或
445埠號、或任何其他設定了RPC通訊埠的遠端電腦。在內部網路環境中，這些通訊埠可正常
存取，但是對連接上Internet的機器而言，最好可以透過防火牆來封鎖。在這些通訊埠沒有
被封鎖，或是內部網路的情形下，攻擊者就不需要任何額外的使用權限。

- 實務上最佳作法是建議封鎖所有TCP/IP實際上未使用的埠號，且大部分的防火牆，包含
Windows Internet Connection Firewall(ICF)也都預設封鎖了這些通訊埠。為此，大部份
連上網際網路的機器都將必須封鎖利用TCP或UDP的RPC通訊埠。透過UDP或TCP的RPC並不是設
計來使用在不友善的環境裡的，例如Internet。使用者可以改用更為強健的通訊協定，像是
透過HTTP的RPC功能就是提供來使用在不友善的網路環境底的。

使用者若想學習更多有關於客戶端/伺服器端RPC安全議題，請參考以下網址：
http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/rpc/rpc/writing_a_secure_rpc_client_or_server.asp

使用者想要了解更多有關於RPC所使用的通訊埠號，請至以下網址參考：
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/tcpip/part4/
tcpappc.asp

風險值：
Windows NT 4.0 Critical
Windows NT 4.0 Terminal Server Edition Critical
Windows 2000 Critical
Windows XP Critical
Windows Server 2003 Critical
以上評估(http://www.microsoft.com/technet/security/topics/rating.asp)的根據包
括：受弱點影響的系統類型、系統的一般部署模式，以及利用弱點對系統所造成的影響
後果。

弱點識別號: CAN-2003-0352
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352)

測試的平台：
微軟在 Windows Me, Windows NT 4.0, Windows NT 4.0 Terminal Services Edition,
Windows 2000, Windows XP and Windows Server 2003環境下做弱點評估測試；早先發行的
版本(http://support.microsoft.com/directory/discontinue.asp)已不再支援，因此不確
定是否受到這漏洞的影響。



--------------------------------------------------------------------------------
影響平台
--------------------------------------------------------------------------------

Microsoft Windows NT® 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server™ 2003

不受影響系統：
Microsoft Windows Millennium Edition



--------------------------------------------------------------------------------
修正方式
--------------------------------------------------------------------------------

此修補檔下載位置：
- Windows NT 4.0 Server
http://microsoft.com/downloads/details.aspx?FamilyId=2CC66F4E-217E-4FA7-BDBF-
DF77A0B9303F&displaylang=en

- Windows NT 4.0, Terminal Server Edition
http://microsoft.com/downloads/details.aspx?FamilyId=6C0F0160-64FA-424C-A3C1-
C9FAD2DC65CA&displaylang=en

- Windows 2000 Server
http://microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-F541-4C15-8C9F-
220354449117&displaylang=en

- Windows XP 32 bit Edition
http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-
3DE40F69C074&displaylang=en

- Windows XP 64 bit Edition
http://microsoft.com/downloads/details.aspx?FamilyId=1B00F5DF-4A85-488F-80E3-
C347ADCC4DF1&displaylang=en

- Windows Server 2003 32 bit Edition
http://microsoft.com/downloads/details.aspx?FamilyId=F8E0FF3A-9F4C-4061-9009-
3A212458E92E&displaylang=en

- Windows Server 2003 64 bit Edition
http://microsoft.com/downloads/details.aspx?FamilyId=2B566973-C3F0-4EC1-995F-
017E35692BC7&displaylang=en

關於修補程式的其他資訊：
安裝平台：
- Windows NT Server 4.0的修補檔可以安裝到執行Windows NT Server 4.0 Service
Pack 6a(http://www.microsoft.com/NTServer/nts/downloads/recommended/SP6/
allsp6.asp)的系統上。

- Windows NT Server, Terminal Server Edition的修補檔可以安裝到執行Windows NT
Server, Terminal Server Edition Service Pack 6(http://www.microsoft.com/
NTServer/ProductInfo/News/Terminal/TseSP6.asp)的系統上。

- Windows 2000的修補檔可以安裝至執行windows2000 Service Pack 3
(http://www.microsoft.com/windows2000/downloads/servicepacks/sp3/default.asp)或
Service Pack 4(http://www.microsoft.com/windows2000/downloads/servicepacks/
sp4/default.asp)的系統上。

- Windows XP的修補檔可以安裝至執行windows XP GOLD或Service Pack1
(http://www.microsoft.com/TechNet/Security/News/WXPSP1s.asp)的系統上。

- Windows 2003的修補檔可以安裝至執行windows 2003 SERVER GOLD的系統上。

包含於未來的service packs：
這些修補檔未來將收錄在Windows 2000 Service Pack 5, Windows XP Service Pack 2,
和Windows Server 2003 Service Pack 1。

安裝完畢後是否需要重新開機：需要。

修補檔可否反安裝：可以。

取代過去的修補檔：無。

驗証修補檔安裝：
- WINDOWS NT 4.0
為了驗証該項修補檔已安裝至電腦上，請確認知識庫中第823980號文件中檔案清單列表中所
有檔案是否有安裝在電腦中。

- WINDOWS NT 4.0 Terminal Server Edition
為了驗証該項修補檔已安裝至電腦上，請確認知識庫中第823980號文件中檔案清單列表中所
有檔案是否有安裝在電腦中。

- WINDOWS2000
為了驗証修補檔己經安裝在電腦上，請確認電腦上是否已建立下列登錄碼
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB823980。

若要確認各別的檔案已安裝至系統上，使用者可在目前的系統上找到知識庫文件第82980號
文件中去查閱列舉出來的檔案與它們的日期/時間戳記。

- Windows XP
-- Windows XP Gold
為了驗証修補檔己經安裝在電腦上，請確認電腦上是否已建立下列登錄碼
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB823980。

若要確認各別的檔案已安裝至系統上，使用者可在目前的系統上找到知識庫文件第823980號
文件中去查閱列舉出來的檔案與它們的日期/ 時間戳記。

-- Windows XP Service Pack 1
為了驗証修補檔己經安裝在電腦上，請確認電腦上是否已建立下列登錄碼
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB823980。

若要確認各別的檔案已安裝至系統上，使用者可在目前的系統上找到知識庫文件第823980號
文件中去查閱列舉出來的檔案與它們的日期/ 時間戳記。

- WINDOWS2003
為了驗証修補檔己經安裝在電腦上，請確認電腦上是否已建立下列登錄碼
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Window Server 2003\SP1\KB823980。

若要確認各別的檔案已安裝至系統上，使用者可在目前的系統上找到知識庫文件第82980號
文件中去查閱列舉出來的檔案與它們的日期/時間戳記。

可由下列方式取得其他修正程式：
- 可經由微軟程式下載中心(Microsoft Download Center)中取得，可使用
　"security_patch" 字串尋找。
- 微軟的使用者可經由 WindowsUpdate 的網站取得
　http://windowsupdate.microsoft.com/。



--------------------------------------------------------------------------------
影響結果
--------------------------------------------------------------------------------

執行攻擊者的程式碼


--------------------------------------------------------------------------------
連絡 TWCERT/CC
--------------------------------------------------------------------------------

Tel: 886-7-5250211 FAX: 886-7-5250212
886-2-23563303 886-2-23924082
Email: [email protected]
URL: http://www.cert.org.tw/
PGP key: http://www.cert.org.tw/eng/pgp.htm


--------------------------------------------------------------------------------

附件： [Buffer Overrun In RPC Interface Could Allow Code Execution (823980)]

--------------------------------------------------------------------------------
原文
--------------------------------------------------------------------------------

Microsoft Security Bulletin MS03-026


Buffer Overrun In RPC Interface Could Allow Code Execution (823980)
Originally posted: July 16, 2003

Revised: July 18, 2003

Summary
Who should read this bulletin: Users running Microsoft ® Windows ®

Impact of vulnerability: Run code of attacker’s choice

Maximum Severity Rating: Critical

Recommendation: Systems administrators should apply the patch immediately

End User Bulletin: An end user version of this bulletin is available at:

http://www.microsoft.com/security/security_bulletins/ms03-026.asp.

Affected Software:

Microsoft Windows NT® 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server™ 2003
Not Affected Software:

Microsoft Windows Millennium Edition

Technical details
Technical description:


Microsoft originally released this bulletin and patch on July 16, 2003 to
correct a security vulnerability in a Windows Distributed Component Object
Model (DCOM) Remote Procedure Call (RPC) interface. The patch was and still is
effective in eliminating the security vulnerability. However, the “mitigating
factors” and “workarounds” discussions in the original security bulletin did
not clearly identify all of the ports by which the vulnerability could
potentially be exploited. We have updated this bulletin to more clearly
enumerate the ports over which RPC services can be invoked, and to ensure that
customers who have chosen to implement a workaround before installing the patch
have the information that they need to protect their systems. Customers who
have already installed the patch are protected from attempts to exploit this
vulnerability, and need take no further action.

Remote Procedure Call (RPC) is a protocol used by the Windows operating system.
RPC provides an inter-process communication mechanism that allows a program
running on one computer to seamlessly execute code on a remote system. The
protocol itself is derived from the Open Software Foundation (OSF) RPC
protocol, but with the addition of some Microsoft specific extensions.

There is a vulnerability in the part of RPC that deals with message exchange
over TCP/IP. The failure results because of incorrect handling of malformed
messages. This particular vulnerability affects a Distributed Component Object
Model (DCOM) interface with RPC, which listens on RPC enabled ports. This
interface handles DCOM object activation requests that are sent by client
machines to the server. An attacker who successfully exploited this
vulnerability would be able to run code with Local System privileges on an
affected system. The attacker would be able to take any action on the system,
including installing programs, viewing changing or deleting data, or creating
new accounts with full privileges.

To exploit this vulnerability, an attacker would need to send a specially
formed request to the remote computer on specific RPC ports.



Mitigating factors:

To exploit this vulnerability, the attacker would require the ability to send a
specially crafted request to port 135, 139, or 445 or any other specifically
configured RPC port on the remote machine. For intranet environments, these
ports would normally be accessible, but for Internet connected machines, these
would normally be blocked by a firewall. In the case where these ports are not
blocked, or in an intranet configuration, the attacker would not require any
additional privileges.
Best practices recommend blocking all TCP/IP ports that are not actually being
used, and most firewalls including the Windows Internet Connection Firewall
(ICF) block those ports by default. For this reason, most machines attached to
the Internet should have RPC over TCP or UDP blocked. RPC over UDP or TCP is
not intended to be used in hostile environments such as the Internet. More
robust protocols such as RPC over HTTP are provided for hostile environments.
To learn more about securing RPC for client and server please refer to
http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/rpc/rpc/writing_a_secure_rpc_client_or_server.asp.

To learn more about the ports used by RPC, please refer to:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/tcpip/part4/
tcpappc.asp


Severity Rating: Windows NT 4.0 Critical
Windows NT 4.0 Terminal Server Edition Critical
Windows 2000 Critical
Windows XP Critical
Windows Server 2003 Critical
The above assessment is based on the types of systems affected by the
vulnerability, their typical deployment patterns, and the effect that
exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0352

Tested Versions:
Microsoft tested Windows Me, Windows NT 4.0, Windows NT 4.0 Terminal Services
Edition, Windows 2000, Windows XP and Windows Server 2003, to assess whether
they are affected by this vulnerability. Previous versions are no longer
supported, and may or may not be affected by this vulnerability.


Frequently asked questions
Why have you revised this bulletin?

Subsequent to the release of this bulletin Microsoft has been made aware that
additional ports involving RPC can be used to exploit this vulnerability.
Information regarding these additional ports has been added to the mitigating
factors and the Workaround section of the bulletin.

If I have installed the patch provided with the original bulletin, am I still
protected?

Yes. There has been no update to the patch itself, and the patch will still
correct the vulnerability. This additional information is being provided to
those customers who may require a temporary workaround until they can apply the
patch.

What’s the scope of the vulnerability?

This is a buffer overrun vulnerability. An attacker who successfully exploited
this vulnerability could gain complete control over a remote computer. This
would give the attacker the ability to take any action on the server that they
want. For example, and attacker could change Web pages, reformat the hard disk,
or add new users to the local administrators group.

To carry out such an attack, an attacker would require the ability to send a
malformed message to the RPC service and thereby cause the target machine to
fail in such a way that arbitrary code could be executed.


What causes the vulnerability?

The vulnerability results because the Windows RPC service does not properly
check message inputs under certain circumstances. This particular failure
affects an underlying Distributed Component Object Model (DCOM) interface,
which listens on RPC enabled ports. By sending a malformed RPC message, an
attacker could cause the RPC service on a machine to fail in such a way that
arbitrary code could be executed. interface with RPC on the remote machine to
fail in such a way that arbitrary code could be executed.

What is DCOM?

The Distributed Component Object Model (DCOM) is a protocol that enables
software components to communicate directly over a network. Previously
called "Network OLE," DCOM is designed for use across multiple network
transports, including Internet protocols such as HTTP. More information about
DCOM can be found at the following website:

http://www.microsoft.com/com/tech/dcom.asp

What is RPC (Remote Procedure Call)?

Remote Procedure Call (RPC) is a protocol that a program can use to request a
service from a program located on another computer in a network. RPC helps with
interoperability because the program using RPC does not have to understand the
network protocols that are supporting communication. In RPC, the requesting
program is the client and the service-providing program is the server.

What's wrong with Microsoft’s implementation of Remote Procedure Call (RPC)?

There is a flaw in a part of RPC that deals with message exchange over TCP/IP.
A failure results because of incorrect handling of malformed messages. This
particular failure affects an underlying DCOM interface, which listens on
TCP/IP port 135, and can be reached via ports 139 and 445. By sending a
malformed RPC message, an attacker could cause the RPC service on a machine to
fail in such a way that arbitrary code could be executed.

Is this a flaw in the RPC Endpoint Mapper?

No - The flaw actually occurs in a low level DCOM interface within the RPC
process. The RPC endpoint mapper allows RPC clients to determine the port
number currently assigned to a particular RPC service. An endpoint is a
protocol port or named pipe on which the server application listens to for
client remote procedure calls. Client/server applications can use either well-
known or dynamic ports.

Security Bulletin MS03-010 also involved RPC yet you could not fix that
vulnerability on Windows NT 4.0. How were you able to fix this vulnerability on
Windows NT 4.0?

The flaw in this case lies in an underlying DCOM interface to RPC, and not the
overall RPC implementation or the RPC Endpoint Mapper itself. As a result, it
was possible to address this vulnerability in Windows NT 4.0 without needing to
rearchitect significant portions of the Windows NT 4.0 operating system, as
would have been required by a Windows NT 4.0 patch for security bulletin MS03-
010.

What could this vulnerability enable an attacker to do?

An attacker who successfully exploited this vulnerability would be able to run
code with Local System privileges on an affected system. The attacker would be
able to take any action on the system, including installing programs, viewing
changing or deleting data, or creating new accounts with full privileges.

How could an attacker exploit this vulnerability?

An attacker could seek to exploit this vulnerability by programming a machine
that could communicate with a vulnerable server over RPC to send a specific
kind of malformed RPC message. Receipt of such a message could cause the RPC
service on the vulnerable machine to fail in such a way that it could execute
arbitrary code.

Who could exploit the vulnerability?

Any user who could deliver a TCP request to an RPC interface to an affected
computer could attempt to exploit the vulnerability. Because RPC requests are
on by default in all versions of Windows, this in essence means that any user
who could establish a connection with an affected computer could attempt to
exploit the vulnerability.

It could also be possible to access the affected component through another
vector, such as one that would involve logging onto the system interactively or
by using another application similar that passed parameters to the vulnerable
component either locally or remotely.

What does the patch do?

The patch corrects the vulnerability by altering the DCOM interface to properly
check the information passed to it.




Workarounds


Are there any workarounds that can be used to block exploitation of this
vulnerability while I am testing or evaluating the patch?

Yes. Although Microsoft urges all customers to apply the patch at the earliest
possible opportunity, there are a number of workarounds that can be applied to
help prevent the vector used to exploit this vulnerability in the interim.

It should be noted that these workarounds should be considered temporary
measures as they just help block paths of attack rather than correcting the
underlying vulnerability.

The following sections are intended to provide you with information to help
protect your computer from attack. Each section describes the workarounds that
you may want to use depending on your computer’s configuration.

Each section describes the workarounds available depending on your required
level of functionality.


Block RPC interface ports at your firewall.
Port 135 is used to initiate an RPC connection with a remote computer. In
addition, there are other RPC interface ports that could be used by an attacker
to remotely exploit this vulnerability. Blocking the following ports at the
firewall will help prevent systems behind that firewall from being attacked by
attempts to exploit this vulnerability:

TCP/UDP Port 135
TCP/UDP Port 139
TCP/UDP Port 445

In addition, customers may have configured services or protocols that use RPC
that might also be accessible from the Internet. Systems administrators are
strongly encouraged to examine RPC ports that are exposed to the Internet and
to either block these ports at their firewall, or apply the patch immediately.


Internet Connection Firewall.
If you are using the Internet Connection Firewall in Windows XP or Windows
Server 2003 to protect your Internet connection, it will by default block
inbound RPC traffic from the Internet.

Disable DCOM on all affected machines
When a computer is part of a network, the DCOM wire protocol enables COM
objects on that computer to communicate with COM objects on other computers.
You can disable DCOM for a particular computer to help protect against this
vulnerability, but doing so will disable all communication between objects on
that computer and objects on other computers.

If you disable DCOM on a remote computer, you will not be able to remotely
access that computer afterwards to reenable DCOM. To reenable DCOM, you will
need physical access to that computer.

To manually enable (or disable) DCOM for a computer:

1. Run Dcomcnfg.exe.


If you are running Windows XP or Windows Server 2003 perform these additional
steps:

Click on the Component Services node under Console Root.
Open the Computers sub-folder.
For the local computer, right click on My Computer and choose Properties.
For a remote computer, right click on the Computers folder and choose New then
Computer. Enter the computer name. Right click on that computer name and choose
Properties.
2. Choose the Default Properties tab.
3. Select (or clear) the Enable Distributed COM on this Computer check box.

4. If you will be setting more properties for the machine, click the Apply
button to enable (or disable) DCOM. Otherwise, click OK to apply the changes
and exit Dcomcnfg.exe.


Patch availability
Download locations for this patch
Windows NT 4.0 Server
Windows NT 4.0 Terminal Server Edition
Windows 2000
Windows XP 32 bit Edition
Windows XP 64 bit Edition
Windows Server 2003 32 bit Edition
Windows Server 2003 64 bit Edition

Additional information about this patch
Installation platforms:

The Windows NT 4.0 patch can be installed on systems running Service Pack 6a.
The Windows NT 4.0, Terminal Server Edition patch can be installed on systems
running Windows NT 4.0, Terminal Server Edition Service Pack 6.
The Windows 2000 patch can be installed on systems running Windows 2000 Service
Pack 3, or Service Pack 4.
The patch for Windows XP can be installed on systems running Windows XP Gold or
Service Pack 1.
The patch for Windows Server 2003 can be installed on systems running Windows
Server 2003 Gold.
Inclusion in future service packs:
The fix for this issue will be included in Windows 2000 Service Pack 5, Windows
XP Service Pack 2, and Windows Server 2003 Service Pack 1.

Reboot needed: Yes.

Patch can be uninstalled: Yes.

Superseded patches: None.

Verifying patch installation:

Windows NT 4.0:
To verify that the patch has been installed on the machine, confirm that all
files listed in the file manifest in Knowledge Base article 823980 are present
on the system.
Windows NT 4.0 Terminal Server Edition:
To verify that the patch has been installed on the machine, confirm that all
files listed in the file manifest in Knowledge Base article 823980 are present
on the system.
Windows 2000:
To verify that the patch has been installed on the machine, confirm that the
following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB823980.

To verify the individual files, use the date/time and version information
provided in the file manifest in Knowledge Base article 823980 are present on
the system.

Windows XP:
To verify that the patch has been installed on the machine, confirm that the
following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB823980.

To verify the individual files, use the date/time and version information
provided in the file manifest in Knowledge Base article 823980 are present on
the system.

Windows Server 2003:
To verify that the patch has been installed on the machine, confirm that the
following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Window Server 2003\SP1\KB823980.

To verify the individual files, use the date/time and version information
provided in the file manifest in Knowledge Base article 823980 are present on
the system.

Caveats:
None

Localization:
Localized versions of this patch are available at the locations discussed in
“Patch Availability”.

Obtaining other security patches:
Patches for other security issues are available from the following locations:

Security patches are available from the Microsoft Download Center, and can be
most easily found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web site
Other information:
Acknowledgments
Microsoft thanks The Last Stage of Delirium Research Group for reporting this
issue to us and working with us to protect customers.

Support:

Microsoft Knowledge Base article 823980 discusses this issue and will be
available approximately 24 hours after the release of this bulletin. Knowledge
Base articles can be found on the Microsoft Online Support web site.
Technical support is available from Microsoft Product Support Services. There
is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional
information about security in Microsoft products.

Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is"
without warranty of any kind. Microsoft disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness for
a particular purpose. In no event shall Microsoft Corporation or its suppliers
be liable for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if Microsoft
Corporation or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply.

Revisions:


V1.0 (July 16, 2003): Bulletin Created.
V1.1 (July 18, 2003): Mitigating factors and Workaround section updated to
reflect additional ports.

此一蠕蟲相當麻煩，026PATCH可有效解決，2000/XP以上OS使用者請儘速更新
P.S IP分享器以及防火牆後使用者不用擔心、重灌無效

補充一些資訊(剛收到之微軟信件)

微軟安全反應中心已經發佈W32.Blaster.Worm的病毒通知。此病毒名稱對於不同的防毒軟體有不同的名稱定義W32/Lovsan.worm (McAfee), WORM_MSBLAST.A (Trendmicro), Win32.Posa.Worm (Computer Associates)，您需要安裝微軟的安全性修正程式MS03-026以避免遭受病毒的攻擊。


CRITICAL SECURITY ALERT - PSS SECURITY ALERT





PARTNER LEVEL NDA PSS Security Team Alert - 08/12/2003






New Virus: W32.Blaster.worm







影響產品：

Windows XP, Windows 2000, Windows Server 2003, Windows NT 4.0, NT 4.0 Terminal Services Edition



說明：

微軟安全反應中心已經發佈W32.Blaster.Worm的病毒通知。此病毒名稱對於不同的防毒軟體有不同的名稱定義W32/Lovsan.worm (McAfee), WORM_MSBLAST.A (Trendmicro), Win32.Posa.Worm (Computer Associates)，您需要安裝微軟的安全性修正程式MS03-026以避免遭受病毒的攻擊。



造成的影響：

透過RPC Port來傳遞，遭受感染的機器會不斷的重新啟動，且在%systemroot%\windows32 目錄底下您可以發現一個檔案名稱為msblast.exe



技術細節：

此病毒會掃描您網段中的電腦，並透過TCP Port 135傳送病毒本身，如果目的端電腦沒有安裝MS03-026，此病毒將會感染此電腦，並在登錄檔中建立以下登錄值HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill



中毒現象：

1. Windows 會無預期的重新開機.

2. 在%systemroot%\windows32 目錄底下您可以發現一個檔案名稱為msblast.exe

3. 在系統中存在TFTP*的檔案



解決方法：



遭受病毒感染的解決步驟：



如果您不是Windows XP的用戶：



1. 開始, 執行, 輸入 cmd, 確定

2. 在 command prompt, 輸入 shutdown -a , 停止關機程序

3. 按 Alt-Ctrl+Del 後, 在工作管理員裡, 將 MSBLAST 關閉

4. 請更新防毒軟體的病毒碼(如果客戶的系統沒有安裝防毒軟體，請連線到此網址執行線上掃瞄http://housecall.antivirus.com)。

5. 下載修正程式 MS03-026

下載位址：http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp

6. 拔除網路線

7. 掃描您的系統確定沒有病毒存在(您可以下載您防毒軟體廠商所提供的清除工具來刪除病毒)

8. 安裝修正程式

9. 重新啟動電腦

10. 接上網路線



如果您是 Windows XP的用戶：



1. 開始, 執行, 輸入 cmd, 確定

2. 在 command prompt, 輸入 shutdown -a , 停止關機程序

3. 按 Alt-Ctrl+Del 後, 在工作管理員裡, 將 MSBLAST 關閉

4. 請更新防毒軟體的病毒碼(如果客戶的系統沒有安裝防毒軟體，請連線到此網址執行線上掃瞄http://housecall.antivirus.com)。

5.下載修正程式 MS03-026

下載位址：http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp

6. 拔除網路線

7. 掃描您的系統確定沒有病毒存在(您可以下載您防毒軟體廠商所提供的清除工具來刪除病毒)

8. 安裝修正程式

9. 重新啟動電腦

10. 啟動 網際網路連線防火牆 (ICF). 參考文件: http://support.microsoft.com/?id=283673

手動啟動步驟如下:

a. 開啟控制台\開啟網路連線

b. 針對您的網路卡按滑鼠右鍵選內容

c. 點選進階標籤，網際網路連線防火牆 (ICF)]， 請選取 [以限制或防止來自網際網路對這台電腦的存取來保護我的電腦] 核取方塊。

11. 接上網路線



尚未遭受病毒感染應採取的步驟：



為了確保您的系統不會遭受此病毒的攻擊，您需要安裝微軟的安全性修正程式MS03-026

下載位址：http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp



更多資訊：



您可以參考其他防毒軟體廠商所提供的相關資訊：

Network Associates: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547

Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A

Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Computer Associates: http://www3.ca.com/virusinfo/virus.aspx?ID=36265



For more information on Microsoft’s Virus Information Alliance please visit this link: http://www.microsoft.com/technet/security/virus/via.asp



如欲了解更多此病毒的相關資訊，請直接洽詢您的防毒軟體廠商

CRITICAL SECURITY ALERT - PSS SECURITY ALERT

相關消息

http://forum.icst.org.tw/phpBB2/viewtopic.php?t=1375
http://forum.icst.org.tw/phpBB2/viewtopic.php?t=1374
http://forum.icst.org.tw/phpBB2/viewtopic.php?t=1372
http://forum.icst.org.tw/phpBB2/viewtopic.php?t=1368

更好的方式;

關閉 135 port 的網頁介紹 , http://www.grc.com/freeware/dcom.htm

直接下載程式 , http://www.grc.com/files/DCOMbob.exe

手動設定防火牆，關掉port135~139(無論UDP或TCP)，
並且把"Sever"服務和有RPC(Remote procedure)成分的服務全關掉，也要設成"已停用"喔!
然後，OK!