Tag Archive for rpc

Microsoft Releases Emergency Patch

The same principals behind gaining a root shell for a Unix system, apply for Windows systems allowing the attacker to execute remote code.

Today Microsoft release an emergency patch with a maximum severity rating of “Critical”, for Windows 2000 SP4, Windows XP SP1, SP2 and SP3, and Windows 2003; and with a severity rating of “Important”, for Windows Vista and Windows 2008 servers.

In this particular instance the attacker would craft RPC connection to TCP port 139 and/or 445 on a target system, looking to overflow the buffer, thus gaining access to execute remote code. This would allow the attacker to gain full access to the system, with the ability to install programs, view, change and/or delete data, or create accounts.

The Microsoft Security Bulletin MS08-067, provides details on the issue as well as the download links to the patches for the affected platforms.

This particular vulnerability makes use of a buffer previously unchecked in the “Server Service”, which provides RPC, file and print, and named pipe sharing support over the network.

Microsoft has acknowledged that over the last three weeks, criminals have been targeting systems using this vulnerability, but decided to rush out the patch since after handling close to a 100 incidents relevant to this flaw, had seen that number rise significantly.

As I wrote in my past blog on Root Shell – The Holy Grail, it is very likely that a worm will surface on the Internet taking advantage of the gap between the patch release date and when this patch is actually applied by IT departments worldwide.

Install the patch immediately if you are running any of the affected systems and if you are running anything older then upgrade.

[ad]

UPDATE: 9:21pm – Definitely did not expect it to happen this soon, but the New York Times is reporting that attack code to exploit the vulnerability has surfaced just hours after the patch was announced. This vulnerability is so serious that a worm with viral characteristics could be Blaster all over again.