[NT] Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks

• Previous message: support@securiteam.com: "[NEWS] Digital Signature for Adobe Acrobat/Reader plug-in can be Forged"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 26 Mar 2003 21:33:07 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks
------------------------------------------------------------------------

SUMMARY

Remote Procedure Call (RPC) is a protocol used by the Windows operating
system. RPC provides an inter-process communication mechanism that allows
a program running on one computer to seamlessly execute code on a remote
system. The protocol itself is derived from the OSF (Open Software
Foundation) RPC protocol, but with the addition of some Microsoft specific
extensions.

There is a vulnerability in the part of RPC that deals with message
exchange over TCP/IP. The failure results because of incorrect handling of
malformed messages. This particular vulnerability affects the RPC Endpoint
Mapper process, which listens on TCP/IP port 135. The RPC endpoint mapper
allows RPC clients to determine the port number currently assigned to a
particular RPC service.

To exploit this vulnerability, an attacker would need to establish a
TCP/IP connection to the Endpoint Mapper process on a remote machine. Once
the connection was established, the attacker would begin the RPC
connection negotiation before transmitting a malformed message. At this
point, the process on the remote machine would fail. The RPC Endpoint
Mapper process is responsible for maintaining the connection information
for all of the processes on that machine using RPC. Because the Endpoint
Mapper runs within the RPC service itself, exploiting this vulnerability
would cause the RPC service to fail, with the attendant loss of any
RPC-based services the server offers, as well as potential loss of some
COM functions.

Microsoft has provided patches with this bulletin to correct this
vulnerability for Windows 2000 and Windows XP. Although Windows NT 4.0 is
affected by this vulnerability, Microsoft is unable to provide a patch for
this vulnerability for Windows NT 4.0. The architectural limitations of
Windows NT 4.0 do not support the changes that would be required to remove
this vulnerability. Windows NT 4.0 users are strongly encouraged to employ
the workaround discussed in the FAQ below, which is to protect the NT 4.0
system with a firewall that blocks Port 135.

DETAILS

Affected Software:
 * Microsoft Windows NT 4
 * Microsoft Windows 2000
 * Microsoft Windows XP

Mitigating factors:
 * To exploit this vulnerability, the attacker would require the ability
to connect to the Endpoint Mapper running on the target machine. For
intranet environments, the Endpoint Mapper would normally be accessible,
but for Internet connected machines, the port used by the Endpoint Mapper
would normally be blocked by a firewall. In the case where this port is
not blocked, or in an intranet configuration, the attacker would not
require any additional privileges.

 * Best practices recommend blocking all TCP/IP ports that are not
actually being used. For this reason, most machines attached to the
Internet should have port 135 blocked. RPC over TCP is not intended to be
used in hostile environments such as the internet. More robust protocols
such as RPC over HTTP are provided for hostile environments. To learn more
about securing RPC for client and server please refer to
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/writing_a_secure_rpc_client_or_server.asp> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/writing_a_secure_rpc_client_or_server.asp. To learn more about the ports used by RPC, please refer to <http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/tcpip/part4/tcpappc.asp> http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/tcpip/part4/tcpappc.asp

 * This vulnerability only permits a denial of service attack and does not
provide an attacker with the ability to modify or retrieve data on the
remote machine.

Patch availability:
Download locations for this patch
 * Microsoft Windows 2000
   *
<http://microsoft.com/downloads/details.aspx?FamilyId=BD55EB38-A5DE-4810-90F7-097C5B4B9919&displaylang=en> All except Japanese NEC
   *
<http://microsoft.com/downloads/details.aspx?FamilyId=3F7DC0DA-A684-43A8-B2E3-1EEDEEDC822C&displaylang=ja> Japanese NEC

 * Windows XP
   *
<http://microsoft.com/downloads/details.aspx?FamilyId=94213569-3258-4439-9AE7-5D86813B4D9E&displaylang=en> 32-bit Edition
   *
<http://microsoft.com/downloads/details.aspx?FamilyId=E3FB88CF-FA48-4426-A4F8-D18D8D4D2295&displaylang=en> 64-bit edition

If Windows NT 4.0 is listed as an affected product, why is Microsoft not
issuing a patch for it?
During the development of Windows 2000, significant enhancements were made
to the underlying architecture of RPC. In some areas, these changes
involved making fundamental changes to the way the RPC server software was
built. The Windows NT 4.0 architecture is much less robust than the more
recent Windows 2000 architecture, Due to these fundamental differences
between Windows NT 4.0 and Windows 2000 and its successors. It is
infeasible to rebuild the software for Windows NT 4.0 to eliminate the
vulnerability. To do so would require re-architecting a very significant
amount of the Windows NT 4.0 operating system, and not just the RPC
component affected. The product of such a re-architecture effort would be
sufficiently incompatible with Windows NT 4.0 that there would be no
assurance that applications designed to run on Windows NT 4.0 would
continue to operate on the patched system.

Microsoft strongly recommends that customers still using Windows NT 4.0
protect those systems by placing them behind a firewall that is filtering
traffic on Port 135. Such a firewall will block attacks attempting to
exploit this vulnerability, as discussed in the workarounds section below.

Will Microsoft issue a patch for Windows NT 4.0 sometime in the future?
Microsoft has extensively investigated an engineering solution for NT 4.0
and found that the Windows NT 4.0 architecture will not support a fix to
this issue, now or in the future.

What's the scope of this vulnerability?
This is a denial of service vulnerability. An attacker who successfully
exploited this vulnerability could cause a remote computer to fail.
However, the attacker could not modify or retrieve data or execute code of
his or her choice on the remote machine.

To carry out such an attack, an attacker would require the ability to make
a TCP/IP connection to the Endpoint Mapper running on the target machine.
Once a TCP connection had been made, the attacker could send a malformed
message to the RPC service and thereby cause the target machine to fail.

The best defense against remote RPC attacks from the Internet is to
configure the firewall to block port 135. RPC over TCP is not intended to
be used across hostile environments such as the Internet

What causes the vulnerability?
The vulnerability results because the Windows RPC Endpoint Mapper does not
properly check message inputs under certain circumstances. If an attacker
were to send a certain type of malformed RPC message after RPC established
a connection that could cause the RPC Endpoint Mapper process on the
remote machine to fail. This process is responsible for maintaining the
connection information of all the processes on that machine using RPC.
Because the endpoint mapper runs within the RPC service itself, exploiting
this vulnerability would cause the RPC service itself to fail, with the
attendant loss of any RPC-based services the server offers, as well as
potential loss of some COM functions.

What is RPC (Remote Procedure Call)?
Remote Procedure Call (RPC) is a protocol that a program can use to
request a service from a program located on another computer in a network.
RPC helps with interoperability because the program using RPC does not
have to understand the network protocols that are supporting
communication. In RPC, the requesting program is the client and the
service-providing program is the server.

What is the RPC endpoint mapper?
The RPC endpoint mapper allows RPC clients to determine the port number
currently assigned to a particular RPC service. An endpoint is a protocol
port or named pipe on which the server application listens to for client
remote procedure calls. Client/server applications can use either
well-known or dynamic ports.

What's wrong with Microsoft's implementation of Remote Procedure Call
(RPC)?
There is a flaw in the part of RPC that deals with message exchange over
TCP/IP. A failure results because of incorrect handling of malformed
messages. This particular failure affects the RPC Endpoint Mapper process,
which listens on TCP/IP port 135. The RPC Endpoint Mapper allows RPC
clients to determine the port number currently assigned to a particular
RPC service. By sending a malformed RPC message, an attacker could the RPC
service on a machine to fail.

What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker who could send RPC messages to
the RPC Endpoint Mapper process on a server to launch a denial of service
attack. Even though an attacker could cause machines to fail, it would not
be possible to modify or retrieve data or execute code.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by programming a
machine that could communicate with a vulnerable server over TCP port 135
to send a specific kind of malformed RPC message. Receipt of such a
message could cause the RPC service on the vulnerable machine to fail.

What does the patch do?
The patch eliminates the vulnerability by correctly verifying the format
of messages that are received via TCP/IP. This verification permits the
RPC Endpoint Mapper to reject malformed messages.

Workarounds
I'm unable to install the patch for this vulnerability immediately. Is
there anything I can do to protect myself from attempts to exploit this
vulnerability?

Microsoft recommends the following workarounds:

 * Block Port 135 at your firewall. Port 135 is used to initiate an RPC
connection with the RPC Endpoint Mapper service. Blocking Port 135 at the
firewall will prevent systems behind that firewall from being attacked by
attempts to exploit this vulnerability. However to ensure that those
systems cannot be attacked by systems behind the firewall, you should
still consider applying the patch.

 * Internet Connection Firewall. If you are using the Internet Connection
Firewall in Windows XP to protect your Internet connection, it will by
default block inbound RPC traffic.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:0_46013_E51E4D7D-DECD-43AE-9A29-36080E8D4C3C_US@Newsletters.Microsoft.com> Microsoft Product Security.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: support@securiteam.com: "[NEWS] Digital Signature for Adobe Acrobat/Reader plug-in can be Forged"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]