Cve 2003 0352 Ms03026 Rpc Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

CVE-2003-0352, is a vulnerability uses Remote Procedure Calls, which is an integral component of Windows operating system. The RPC provides inter-process communication mechanism which allows programs on one computer to seamlessly execute code on remote systems. This Windows RPC was derived from Open Software Foundation (OSF) RPC with some additional Microsoft specific extensions.

The vulnerability uses this RPC protocol to exploit the remote system and gain access to execute miscellaneous code on the exploited machine. The particular vulnerability affects the Distributed Component Object Model (DCOM) interface with RPC, which listens on RPC enabled TCP ports, because of the result of the incorrect handling of malformed RPC messages packets exchanged over TCP/IP. This causes the interface handing DCOM object activation requests over RPC on the server to not function properly, allowing the attacker to run code Local System privileges on an affected system allowing the attacker to take any action on the system, including installing programs, viewing changing or deleting data, or creating new accounts with full privileges.

How exploit works

The exploit uses the windows RPC to gain access on the target machine, windows does RPC using NetBIOS protocol. Window uses three ports for NetBIOS they are 135, 139 and 445, NetBIOS works using both TCP and UDP protocols over IP. The CVE-2003-0352 vulnerability only effects the TCP protocol when using RPC for initializing DCOM objects, causing a Buffer overflow and gaining access to the target computer. Buffer Overflow is to try to store more data in a buffer then its allocated memory, if the application fails to check the buffer and executes the code in the buffer this codes is executed at the application privileges by the operating system there by causing any miscellaneous code to be executed that had overflowed the buffer. In some cases a buffer overflow cusses application to crash not allowing any more of its services.

HRESULT CoGetInstanceFromFile(


CLSID * pclsid,

IUnknown * punkOuter,

DWORD dwClsCtx,

DWORD grfMode,

OLECHAR * szName,

ULONG cmq,

MULTI_QI * rgmqResults


Code CoGetInstanceFromFile Syntax

The exploit use "CoGetInstanceFromFile" method to do the buffer overflow and gain access. This is done by using the 'szName' parameter of the method which is the file name to initialize the DCOM object with.










Code Sample Function Call

When the files name is too long, it would cause a local buffer overflow. "GetPathForServer" method is used for getting the path of a file from the server but the function only supports a maximum file size of 0x220, this is what is used by the exploit to cause the overflow by gowning over the size. However if we use the windows provided API to cause it cannot be done as it check of the size before continuing any further, this prevents us for using this exploit locally. The exploit uses this function through RPC by constructing a malformed packet making the buffer overflow possible, because after the client transmits the parameters for the method to the server, it is translated as "\\servername\c$\1234561111111111111111111111111.doc". Here the server does not check the length of the 'szName' parameter and only check for the server name where it allocates the buffer of 0x20 only because, NetBIOS maximum name length there by allowing us to exploit.

Now we know where the buffer overflow is present and how it's being exploited. The exploit still needs to execute miscellaneous code on the server, this is done by using the "jump to register" technique allows for reliable exploitation of stack buffer overflows without the need for extra room for a NOP-sled and without having to guess stack offsets, which uses the JMP ESP jump. This is done by making the program to call "DbgPrint" method, because the JMP ESP is executed before calling this method. Then the overflow occurs the application throws the exception which is handled using the replace Structured Exception Handling (SHE), thereby calling "DbgPrint" method. The exploit changes the ESP register value before causing the exception there by redirecting the program execution to a known memory offset, in this case it's redirected to an offset where shell code is present and is executed. The shell code here in the exploit is to open a connection onto another system there by providing a remote terminal to the remote machine for executing commands.

The execution of the exploit can be divided into the following four stages

Establish a connection to NETBIOS port of the targeted system.

Send the malformed NetBIOS RPC request for the filename that is longer than 0x20 in length

When the operating system executes the code in overflow it opens a port on the request machine through which we can access the terminal.

Access and execute commands through the connected shell on the victims system.

Level of Impact

CVE-2003-0352 has a CVSS base score of 7.5 which puts it in a HIGH risk. The vulnerability has a high level of security threat on the effected system. The CVSS Base score is provided by CVE which is determined by CVSS (Common Vulnerability Scoring System) standards. Depending on this score each CVE is been divided into one of the three types HIGH (CVSS base score of range 7.0 to 10.0), MEDIUM (CVSS base score of range 4.0 to 6.9) and LOW (CVSS base score of range 0.0 to 3.9) (CERT).

And Microsoft has also stated the Maximum Severity Rating is critical, as the vulnerability has the ability to run the code of attacker's choice.

After Effects on the System

The vulnerability causes a huge effect on the system as it allows the attacker to execute any application as a local user which causes critical damage, as they might gain access to the user restricted files and services. If the attacker was able to obtain administrator privileges then he can completely take of the system causing data loss and other kinds of intellectual property damage. And also the effect of the vulnerability is on many Microsoft Windows Operating system version virus and warms use the victims systems to spread them self's over. Such the Blaster/MSblast/LovSAN and Nachi/Welchia worms which were able successfully used the exploit to spread and take over other systems.

Scale and scope of the vulnerability

We can say that the scale of spreading of the vulnerability is quite large as it efforts Microsoft Windows NT 4.0 / 4.0 Terminal Services Edition, Windows 2000, Windows XP and Windows Server 2003 which have the most share of operating system used. And the also with the use of the vulnerability the attacker is able to take maximum control of the victims computers creates a grate scope of using the vulnerability to exploit. The exploiting the vulnerability is also not that difficult as it is with others this also increase the scope of making using vulnerability by many people.

Remedial Action for prevention for getting exploited

To exploit this vulnerability, the attacker would require the ability to send a specially crafted request to port 135, 139, 445 or 593 or any other specifically configured RPC port on the remote machine. For intranet environments, these ports would normally be accessible, but for Internet connected machines, these would normally be blocked by a firewall. In the case where these ports are not blocked, or in an intranet configuration, the attacker would not require any additional privileges.

Best practices recommend blocking all TCP/IP ports that are not actually being used and most firewalls including the Windows Internet Connection Firewall (ICF) block those ports by default. For this reason, most machines attached to the Internet should have RPC over TCP or UDP blocked. RPC over UDP or TCP is not intended to be used in hostile environments such as the Internet. More robust protocols such as RPC over HTTP are provided for hostile environments.

And also to most important mitigate is to keep our system updated which helps protect from this vulnerability's. Depending on the system we are using it is really important to check the appropriate patch released by Microsoft Corporation. This patch will provide sufficient security to avoid buffer overflow.

As an alternative for any reason the system is not updated to patch then the system is vulnerable in order to protect it from attack it is necessary to disable DCOM services on the host. Even though it disable the ability of that system to communicate with other systems on the network it is important to protect from attack.


As we have seen from the above section how the exploit work we can say that the vulnerability possess a high level of threat for the exploited system. And also Microsoft has rated the vulnerability as critical because when exploited proves unrestricted to execute code with local privileges which might eventual escalate to the takeover of the hole system. In case of a network if the attacker was able to exploit the Primary Domain Controller (PDC), the attacker has the ability to take over the complete domain, create users or change their privileges causing a major security of the entire domain itself.