SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#261537

Microsoft Windows RPC service vulnerable to DoS via NULL pointer dereference

Overview

The RPC service in Microsoft Windows NT 4.0, 2000, and XP can be terminated by a specially crafted RPC message. A remote attacker could cause a denial of service.

I. Description

According to Microsoft Security Bulletin MS03-010, "Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system."

A vulnerability exists in a part of the RPC service called the RPC Endpoint Mapper. The RPC Endpoint Mapper listens for network requests (135/tcp), provides clients with port numbers for RPC services, and maintains information about RPC connections. According to a report from Immunity Security, vulnerable code in the RPC Endpoint Mapper dereferences a NULL pointer when processing a malformed RPC message.

II. Impact

An unauthenticated, remote attacker could cause the RPC Endpoint Mapper to terminate, denying service to legitimate users. Since the RPC Endpoint Mapper is part of the RPC service, "...exploiting this vulnerability would cause the RPC service to fail, with the attendant loss of any RPC-based services the server offers, as well as potential loss of some COM functions."

Once the RPC service has been terminated, an attacker may be able to take control over an orphaned named pipe and gain the privileges of the RPC service (Local System).

III. Solution

Apply Patch

Apply the appropriate patch (Q331953) as specified in MS03-010. Microsoft notes that a patch will not be produced for Windows NT 4.0 or Windows NT 4.0 Terminal Server Edition.
The patches may cause local COM calls to fail, which could affect ASP/COM+ applications. See Microsoft Knowledgebase Article 814119 for more information.

Block or Restrict Access

Block or restrict access to the RPC Endpoint Mapper service (135/tcp) from untrusted networks such as the Internet.

Systems Affected

VendorStatusDate NotifiedDate Updated
Microsoft CorporationVulnerable26-Mar-2003

References


http://www.immunitysec.com/vulnerabilities/Immunity_svchost_DoS.txt
http://www.securityfocus.com/bid/6005
http://www.securityfocus.com/bid/6769
http://www.securityfocus.com/archive/1/296114
http://www.microsoft.com/technet/security/bulletin/MS03-010.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;331953
http://support.microsoft.com/?kbid=814119
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/how_rpc_works.asp

Credit

This vulnerability was publicly reported by Dave Aitel of Immunity Security.

This document was written by Art A Manion.

Other Information

Date Public:2002-10-18
Date First Published:2003-03-26
Date Last Updated:2003-06-04
CERT Advisory: 
CVE-ID(s):CAN-2002-1561
NVD-ID(s):CAN-2002-1561
US-CERT Technical Alerts: 
Metric:23.69
Document Revision:22

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader