Long-anticipated exploit code targeting the most recent Microsoft RPC vulnerabilities is circulating and may cause a denial-of-service on even patched Windows XP systems, experts said. Other versions of Windows might be vulnerable but haven't been tested.
"This code is a universal exploit, which means that it can be used against any version of Windows that is not patched," says Aaron Schaub, a security analyst at managed security services provider TruSecure Corp. in Herndon, Va. "However, there have been unconfirmed reports that it will still work against Windows XP SP1 even with all additional security updates installed."
"While the current code can only inflict a DoS condition on the target system, it's conceivable that it could be modified in a manner that will permit the execution of arbitrary code," adds Schaub.
The code exploits a slight variant in the RPCSS (the Remote Procedure Call portmapper, which directs traffic for different services using RPC) vulnerability documented in Microsoft Security Bulletin MS03-039.
Experts report seeing increased activity on TCP port 135, which is associated with the vulnerable service.
If the exploit works against fully patched Windows XP systems, the best defense against the attack is to turn off the service, if possible. Windows XP uses this service extensively and turning it off isn't a viable option in many situations. If the service can't be turned off, the use of firewalls or access
A patch was released to correct the "Buffer Overrun In RPCSS Service Could Allow Code Execution" (MS03-039) vulnerabilities; which deal with RPC messages for DCOM activation. According to Microsoft, two of the flaws could allow arbitrary code execution; and the third could result in a denial of service. The flaws affect Windows NT 4/2000/XP/Server 2003 and result from incorrect handling of malformed messages.
Many security experts have speculated that the release of a worm using this code could come at any time. In August, the prolific Blaster worm ripped through networks worldwide by exploiting a similar RPC/DCOM vulnerability for which a patch had been released more than three weeks before.
This article also appeared on SearchSecurity.com.