RPC hole 'worse than Code Red, Slammer`

Read time 2min 30sec

The international information security community warns that hacker code has already been posted to exploit the Microsoft RPC (Remote Procedure Call) vulnerability, affecting all recent versions of Windows. If administrators do not apply a patch, commentators say the aftermath could "make Code Red and Slammer look like child`s play".

The critical Windows patch, available in different forms for the various versions of Windows, was issued over a week ago, but many systems may still be insecure. All NT-based Windows editions are affected, as are Windows 2000, Windows XP and Windows Server 2003.

"Code Red and Slammer did not do much damage on the local system, it concentrated on spreading itself via the network," opines one security advisory list. "This time, a...hacker could decide to wipe the system after it has infected 10 machines. With this exploit, it can gain access with system privileges, which represent the highest privilege on a Windows system."

RPC explained

The list describes RPC as a protocol used by Windows. It provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol is derived from the Open Software Foundation RPC protocol, but Microsoft has added specific extensions.

"There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. The vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on TCP/IP port 135. This interface handles DCOM object activation requests that are sent by client machines to the server. An attacker exploiting the vulnerability can run code with local system privileges on an affected system. The attacker can then install programs, view, change or delete data, or create new accounts with full privileges."

LSD`s illumination

The discoverer of the vulnerability, the Last Stage of Delirium (LSD) group, says the vulnerability should be considered critical. It "may...cause enormous harm even if exploited [with] primitive worm technologies".

The group says its members "were able to develop two fully-functional proof of concept [exploitation] codes, for Windows 2000/XP and Windows 2003 Server. "The attack may be performed unnoticed, without any abuse to the operation of the target system.

"Due to the enormous impact of this vulnerability, members of the group have decided not to publish codes or any technical details with regard to this vulnerability. However, the group is currently working on a more detailed technical description of the vulnerability and plans to release it to the community when its impact will be reduced through propagation of appropriate fixes," LSD says.

See also