Microsoft Windows COM Internet Service and RPC over HTTP denial of service
| win-cis-rpc-http-dos (15709) |  Medium Risk |
Description:
The COM Internet Service (CIS) and RPC over HTTP Proxy components in Microsoft Windows NT 4.0, Windows NT Server 4.0 Terminal Server Edition, Windows 2000, Windows XP, and Windows 2003 are vulnerable to a denial of service. RPC over HTTP allows RPC to transmit over TCP port 80 so that a client and server can communicate, by bypassing the restrictions of most proxy servers and firewalls. COM Internet Services allows Distributed COM (DCOM) to use RPC over HTTP to communicate between DCOM clients and servers. The COM Internet Service (CIS) and RPC over HTTP Proxy components may not properly validate message inputs. A remote attacker could send a specially-crafted message to cause the CIS and RPC over HTTP Proxy components to stop responding. Internet Information Services must be restarted manually to regain normal functionality.
Consequences:
Denial of Service
Remedy:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-051. See References.
Note: Microsoft originally provided a patch for this vulnerability in MS04-012, but it was superseded by the patch released with MS05-051.
For Microsoft Windows 2000:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS06-018. See References.
Note: Microsoft originally provided a patch for this vulnerability in MS04-012, which was superseded by the patch released with MS05-051, and then superseded by the patch released with MS06-018.
For Windows XP and Windows Server 2003:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-051. See References.
Note: Microsoft originally provided a patch for this vulnerability in MS04-012, but it was superseded by the patch released with MS05-012, which was superseded by the patch released with MS05-051.
For Windows NT 4.0:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS04-029. See References.
Note: Microsoft originally provided a patch for this vulnerability in MS04-012, but it was superseded by the patch released with MS04-029.
References:
- CIAC Information Bulletin O-115: Microsoft Cumulative Update for RPC/DCOM.
- Internet Security Systems Security Alert, April 13, 2004: Multiple Vulnerabilities in Microsoft Products.
- Microsoft Security Bulletin MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741).
- Microsoft Security Bulletin MS04-029: Vulnerability in RPC Runtime Library Could Allow Information Disclosure and Denial of Service (873350).
- Microsoft Security Bulletin MS05-051: Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400).
- Microsoft Security Bulletin MS06-018: Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (913580).
- BID-10123: Microsoft Windows COM Internet Service/RPC Over HTTP Remote Denial Of Service Vulnerability
- CVE-2003-0807: Buffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request.
- SECTRACK ID: 1009762: Microsoft Windows COM Internet Services and RPC over HTTP Can Be Crashed By Remote Users
- US-CERT VU#698564: Microsoft CIS and RPC over HTTP Proxy components fail to properly handle responses
Platforms Affected:
- Microsoft Windows 2000
- Microsoft Windows 2003 Server
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0 Terminal Server
- Microsoft Windows XP
Reported:
Apr 13, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net