Multiple Remote DoS vulnerabilities in DCE/RPC deamons

   Issue Date: July 30, 2001
   Contact: Todd Sabin
   
Topic:

   Many DCE/RPC servers are vulnerable to remote DoS attacks
   
Overview:

   Many DCE/RPC servers don't do proper parameter validation, and can be
   crashed by sending an improperly formatted request.
   
Affected Systems:

   At least the following services are known to be affected. More servers
   are likely to be vulnerable. For a complete list of what Microsoft has
   patched, see their security bulletin mentioned below.
   
   W2K SCM                  (services.exe)
   NT4 SCM                   (services.exe)
   NT4 LSA                    (lsass.exe)
   NT4 Endpoint mapper  (Rpcss.exe)
   W2K Endpoint mapper (svchost.exe (fixed by ms00-066))
   SQL Server 7              (sqlservr.exe)
   W2K's DHCP Server
   W2K's IIS Server          (inetinfo.exe)
   Exchange 5.5 SP3       (STORE.exe)
   Exchange 5.5 SP3       (MAD.exe)
   NT4 Spooler                (spoolss.exe)
   W2K License Srv         (llssrv.exe)
   NT4 License Srv           (llssrv.exe)
   
Impact:

   An unauthenticated remote attacker that can talk to the endpoint on
   which the server is listening can crash the server. In some cases, the
   servers may either restart themselves, or be restarted by the OS.
   
Details:

   By sending successively larger and larger requests containing nothing
   but nulls to every operation on every interface supported by a DCE/RPC
   server, it's often possible to find a particular request that will crash
   a server. Note that it's not technically necessary to run through every
   possible request to crash a given server. Each server has a particular
   request (or requests) which crashes it. Once the proper request has been
   found by grinding through all the possibilities, only that request is
   needed to crash the server.
   
   The exact endpoints on which a server listens will vary from service to
   service. Many listen on named pipes, which are accessible via TCP port
   139 or (on W2K) 445. Other services, e.g. Exchange, typically listen on
   both TCP and UDP ports above 1024. Those services which do not listen on
   named pipes can usually be enumerated via the endpoint mapper, using
   rpcdump. rpcdump comes with the NT resource kit. A free version is also
   available on the RAZOR web site in the rpctools package.
   
   If COM Internet Services has been installed and enabled, then these
   attacks may be possible over port 80, as well. This is not a default
   configuration, however.
   
Workarounds:

   Firewall off as much as possible.
   
Recommendations:

   Install the appropriate patches from Microsoft.
   Do not install COM Internet Services.
     ___________________________________________________________________
   
References:

Microsoft's security bulletin:

     http://www.microsoft.com/technet/security/bulletin/MS01-041.asp
     
Microsoft's patches:

     The patches vary, depending upon the service. See the security
     bulletin for details.
     
Microsoft's Knowledge Base article:

     http://support.microsoft.com/support/kb/articles/Q298/0/12.ASP