exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

adv_DCE-RPC_DoS.txt

adv_DCE-RPC_DoS.txt
Posted Aug 5, 2001
Site razor.bindview.com

Bindview Advisory - Many DCE/RPC servers don't do proper parameter validation, and can be crashed by sending an improperly formatted request. Affected systems include W2K SCM, NT4 LSA, NT4 Endpoint mapper, W2K Endpoint mapper, SQL Server 7, W2K's DHCP Server, W2K's IIS Server, Exchange 5.5 SP3, Exchange 5.5 SP3, NT4 Spooler, W2K License Srv, and NT4 License Srv. Microsoft bulletin on this issue available here.

tags | denial of service
SHA-256 | 5e096213ca28870ef36905370680122f6491ef0eb55cc4941841a9ce21274fe7

adv_DCE-RPC_DoS.txt

Change Mirror Download
Multiple Remote DoS vulnerabilities in DCE/RPC deamons

Issue Date: July 30, 2001
Contact: Todd Sabin

Topic:

Many DCE/RPC servers are vulnerable to remote DoS attacks

Overview:

Many DCE/RPC servers don't do proper parameter validation, and can be
crashed by sending an improperly formatted request.

Affected Systems:

At least the following services are known to be affected. More servers
are likely to be vulnerable. For a complete list of what Microsoft has
patched, see their security bulletin mentioned below.

W2K SCM (services.exe)
NT4 SCM (services.exe)
NT4 LSA (lsass.exe)
NT4 Endpoint mapper (Rpcss.exe)
W2K Endpoint mapper (svchost.exe (fixed by ms00-066))
SQL Server 7 (sqlservr.exe)
W2K's DHCP Server
W2K's IIS Server (inetinfo.exe)
Exchange 5.5 SP3 (STORE.exe)
Exchange 5.5 SP3 (MAD.exe)
NT4 Spooler (spoolss.exe)
W2K License Srv (llssrv.exe)
NT4 License Srv (llssrv.exe)

Impact:

An unauthenticated remote attacker that can talk to the endpoint on
which the server is listening can crash the server. In some cases, the
servers may either restart themselves, or be restarted by the OS.

Details:

By sending successively larger and larger requests containing nothing
but nulls to every operation on every interface supported by a DCE/RPC
server, it's often possible to find a particular request that will crash
a server. Note that it's not technically necessary to run through every
possible request to crash a given server. Each server has a particular
request (or requests) which crashes it. Once the proper request has been
found by grinding through all the possibilities, only that request is
needed to crash the server.

The exact endpoints on which a server listens will vary from service to
service. Many listen on named pipes, which are accessible via TCP port
139 or (on W2K) 445. Other services, e.g. Exchange, typically listen on
both TCP and UDP ports above 1024. Those services which do not listen on
named pipes can usually be enumerated via the endpoint mapper, using
rpcdump. rpcdump comes with the NT resource kit. A free version is also
available on the RAZOR web site in the rpctools package.

If COM Internet Services has been installed and enabled, then these
attacks may be possible over port 80, as well. This is not a default
configuration, however.

Workarounds:

Firewall off as much as possible.

Recommendations:

Install the appropriate patches from Microsoft.
Do not install COM Internet Services.
___________________________________________________________________

References:

Microsoft's security bulletin:

http://www.microsoft.com/technet/security/bulletin/MS01-041.asp

Microsoft's patches:

The patches vary, depending upon the service. See the security
bulletin for details.

Microsoft's Knowledge Base article:

http://support.microsoft.com/support/kb/articles/Q298/0/12.ASP
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close