MS.Windows.Message.Queuing.RPC.Service.Code.Execution

Description

Microsoft Message Queuing or MSMQ is a Message Queue implementation developed by Microsoft and deployed in its Windows Server operating systems.
Cody Pierce and Aaron Portnoy of TippingPoint DVLabs discovered a vulnerability in MSMQ.
MSMQ fails to preform a boundary check when processing an argument for one of its function. An attacker can exploit this vulnerability and overflow the buffer of the running process. With the exploit, the attacker can redirect the process to execute a malicious code segment and execute various payloads, ranging from sensitive information retrieval and malicious application installations on the victim's machine. This vulnerability is published in Common Vulnerability and Exposures List with ID CVE-2008-3479.
Microsoft has addressed this vulnerability in its security advisory http://technet.microsoft.com/en-us/security/bulletin/ms08-065. />This indicates an attempt to exploit a remote unauthenticated vulnerability in the Microsoft Message Queuing RPC service.
The vulnerability is caused by an error that occurs when the vulnerable service handles a malicious RPC request. It allows a remote attacker to execute arbitrary code in the context of the service.

Apply Patches:
Download and install patches as instructed in http://www.microsoft.com/technet/security/Bulletin/MS08-065.mspx
Work Around:
I. Block the following at the perimeter firewall
* All unsolicited inbound traffic on ports greater than 1024
* Any other specifically configured RPC port
II. Disable the Message Queuing Service
* Interactively:
Disabling the Message Queuing service will help protect the affected system from attempts to exploit this vulnerability. To disable the Message Queuing service, follow these steps:
1. Click Start, and then click Control Panel. Alternatively, point to Settings, and then click Control Panel.
2. Double-click Administrative Tools. Alternatively, click Switch to Classic View and then double-click Administrative Tools.
3. Double-click Services.
4. Double-click Message Queuing.
5. In the Startup type list, click Disabled.
6. Click Stop, and then click OK.
* By Group Policy:
Disable the Message Queuing service by using the Group Policy settings. You can disable the startup of this service at either the local, site, domain, or organizational-unit level by using Group Policy object functionality in Microsoft Windows 2000 domain environments or in Windows Server 2003 domain environments.
You can also stop and disable the MSMQ service by using the following command at the command prompt (available in Windows XP and in the Microsoft Windows 2000 Resource Kit):
sc stop MSMQ & sc config MSMQ start= disabled
For FortiGate IPS users, turning on the MS.Windows.Message.Queuing.RPC.Service.Code.Execution IPS signature can prevent exploitation of this vulnerability.