[NT] Malformed Request to RPC Endpoint Mapper Causes RPC Service to Fail
From: support@securiteam.comDate: 09/13/01
- Previous message: support@securiteam.com: "[REVS] Detection of Promiscuous Nodes Using ARP Packets"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NT] Malformed Request to RPC Endpoint Mapper Causes RPC Service to Fail Message-Id: <20010913215720.AB9B0138BF@mail.der-keiler.de> Date: Thu, 13 Sep 2001 23:57:20 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Malformed Request to RPC Endpoint Mapper Causes RPC Service to Fail
------------------------------------------------------------------------
SUMMARY
The RPC endpoint mapper allows RPC clients to determine the port number
currently assigned to a particular RPC service. The Windows NT 4.0
endpoint mapper contains a flaw that causes it to fail upon receipt of a
request that contains a particular type of malformed data.
Because the endpoint mapper runs within the RPC service itself, exploiting
this vulnerability would cause the RPC service itself to fail, with the
attendant loss of any RPC-based services the server offers, as well as
potential loss of some COM functions. Normal service could be restored by
rebooting the server.
DETAILS
Vulnerable systems:
* Microsoft Windows NT 4.0
Mitigating factors:
* Standard security recommendations call for port 135 - the port on which
the RPC end-mapper operates - to be blocked at the firewall. If this were
done, Internet-based attackers would not be able to exploit this
vulnerability.
Patch availability:
Download locations for this patch
* Windows NT 4.0 Workstation, Windows NT 4.0 Server, and Windows NT 4.0
Server, Enterprise Edition:
<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32503>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32503
* Windows NT 4.0 Server, Terminal Server Edition:
To be released shortly
What's the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who successfully
exploited it would be able to prevent an affected server from providing
useful service to users in some cases.
If a firewall the follows normal practices is in place, the chief threat
posed by this vulnerability would be from internal attacks. Normal service
could be restored by rebooting the system.
What causes the vulnerability?
The vulnerability results because the Windows NT 4.0 RPC service will fail
if the endpoint mapper is sent a request that contains a particular type
of malformed data.
What is RPC?
RPC (Remote Procedure Call) is a technology that is used extensively to
support distributed applications -- that is, applications whose various
components are located on different computers. The primary purpose of RPC
is to provide a way for the components to communicate with each other.
This allows the components to levy requests on each other and communicate
the results of these requests.
What's the RPC endpoint mapper?
Every RPC service that uses IP based protocol uses a TCP or UDP port to
communicate with its clients. However, in most cases, ports are assigned
to RPC services dynamically. As a result, an RPC service that is available
on two different machines may use a different port on each. Likewise, an
RPC service on a single machine may use a different port every time the
machine is rebooted. There has to be a way for clients to find the right
port for a particular RPC service on a particular machine.
This is what the RPC endpoint mapper service does. Before starting a
session with an RPC service, a client first consults the endpoint mapper
service on the server to determine the port over which the service
currently operates. It then begins communicating directly with the
service.
What is wrong with the RPC endpoint mapper?
If a query to the Windows NT 4.0 RPC endpoint mapper service contains a
particular type of malformed data, the service will fail. Because the
endpoint mapper runs as part of the RPC service, this would cause the
entire RPC service to fail.
What could an attacker use this vulnerability to do?
An attacker could use this vulnerability to prevent a server from offering
any RPC-based services.
What are some examples of services that might be affected by an attack?
In general, any service that operates over RPC would be disrupted by such
an attack. Products like Exchange and SQL Server offer their primary
services via RPC, so such an attack would make them unavailable. On the
other hand, IIS only offers management functions via RPC, so it would
continue offering web services even after such an attack.
Who could exploit this vulnerability?
Any user who could send data to port 135 - the port on which the endpoint
mapper runs - could potentially exploit the vulnerability.
Could an attacker exploit this vulnerability from the Internet?
Standard firewalling practices strongly recommend that port 135 be
blocked. If this has been done, an Internet-based attacker could not
exploit the vulnerability.
If an attacker did exploit the vulnerability, what would be needed to
restore normal service?
The administrator would need to reboot the server.
I have a Windows NT 4.0 workstation. Should I apply the patch?
Unless you are offering RPC-based services via the workstation (which is
rarely the case), you would not need to apply the patch.
I have a Windows NT 4.0 server. Should I apply the patch?
If you are not offering any RPC-base services via the server, you do not
need the patch. However, if your server does offer RPC-based services, you
should apply the patch.
Is Windows 2000 affected by the vulnerability?
No. Customers using Windows 2000 do not need to take any action.
Is Windows XP affected by the vulnerability?
No. Customers using Windows XP do not need to take any action.
What does the patch do?
The patch eliminates the vulnerability by causing the Windows NT 4.0
endpoint mapper to reject requests containing the malformation at issue
here.
ADDITIONAL INFORMATION
The information has been provided by <mailto:secnotif@MICROSOFT.COM>
Microsoft Product Security.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[REVS] Detection of Promiscuous Nodes Using ARP Packets"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
