Rule: -- Sid: 2252 -- Summary: This event is generated when an attempt is made to exploit a known vulnerablity in Microsoft RPCSS service for RPC. -- Impact: Denial of Service. Possible execution of arbitrary code leading to unauthorized remote administrative access. -- Detailed Information: A vulnerability exists in Microsoft RPCSS Service that handles RPC DCOM requests such that execution of arbitrary code or a Denial of Service condition can be issued against a host by sending malformed data via RPC. The Distributed Component Object Model (DCOM) handles DCOM requests sent by clients to a server using RPC. A malformed request to the host running the RPCSS service may result in a buffer overflow condition that will present the attacker with the opportunity to execute arbitrary code with the privileges of the local system account. Alternatively the attacker could also cause the RPC service to stop answering RPC requests and thus cause a Denial of Service condition to occur. -- Affected Systems: Windows NT 4.0 Workstation and Server Windows NT 4.0 Terminal Server Edition Windows 2000 Windows XP Windows Server 2003 -- Attack Scenarios: An attacker may make a DCERPC bind request followed by a malicious DCERPC DCOM remote activation request. -- Ease of Attack: Simple. Expoit code exists. -- False Positives: None known. -- False Negatives: None known. -- Corrective Action: Apply the appropriate vendor supplied patches. Block access to RPC ports 135, 139, 445 and 593 for both TCP and UDP protocols from external sources using a packet filtering firewall. Disallow the use of RPC over HTTP and HTTPS. -- Contributors: Sourcefire Research Team Brian Caswell <bmc@sourcefire.com> Nigel Houghton <nigel.houghton@sourcefire.com> -- Additional References: Microsoft: http://www.microsoft.com/technet/security/bulletin/MS03-039.asp eEye: http://www.eeye.com/html/Research/Advisories/AD20030910.html --