31th Jan 2003 [SBWID-5959]
COMMAND
	RPC Locator Buffer Overflow
SYSTEMS AFFECTED
	Windows 2000/XP/NT
PROBLEM
	In David Litchfield  [[email protected]]  advisory  [#NISR29012003],
	from NGSSoftware Insight Security Research :
	
	 http://www.ngssoftware.com/rpclocator.html
	
	--snip--
	When searching for RPC Services on the  network  a  Windows  RPC  client
	will connect to the domain controller over TCP  port  139/445  (the  SMB
	ports) and search  for  services/servers  through  the  "locator"  named
	pipe. An attacker can overflow a  stack  based  buffer  in  the  Locator
	service process by searching for an overly  long  string  for  an  entry
	name to use in looking for binding handles. This problem arises  due  to
	an unsafe call to wcscpy().
	--snap--
SOLUTION
	Microsoft released the patch to resolve this issue last week.
	
	http://www.microsoft.com/security/security_bulletins/ms03-001.asp
	
	NGSSoftware  have  written  a  free  command  line  scanner  to   locate
	Microsoft computers running the RPC  Locator  service  on  the  network.
	This may be downloaded from the NGSSite. [Please note that this  scanner
	does not test for the actual  vulnerability,  but  rather  helps  locate
	those machines most at risk.  Although  sample  exploit  code  has  been
	provided to the vendor, due  to  the  recent  events  of  last  weekend,
	NGSSoftware are loathe to publish  this  publicly  at  this  juncture  -
	however we may after a grace period.]
	
	http://www.ngssoftware/rpclocator.html
	
	A check for this issue is  already  in  Typhon,  NGSSoftware's  advanced
	vulnerability  assessment  scanner,  of  which   more   information   is
	available from the NGSSite, http://www.ngssoftware.com.