Immunity Advisory to the General Public
Vulnerability: RPC Service DoS (port 135/tcp) on Windows 2000 SP3
Author: Dave Aitel
Date: October 18, 2002


Because the default SPIKE 2.7 run has been able to discover this
vulnerability, and various people have contacted me regarding it, I
offer this analysis of it to the general public. Previously, only
Immunity Vulnerability Disclosure Club members were specifically
informed of this vulnerability, in accordance with Immunity,
Inc. policy regarding information disclosure. More information about
this policy can be found at http://www.immunitysec.com/vulnshare.html


Impact:

Remote Windows 2000 machines with port TCP 135 open to the Internet
can be disabled without authentication of any kind. Other versions
of Windows may also be vulnerable.

Vulnerability:

The vulnerability itself is within the DCE-RPC stack of Windows 2000
and related OS's. This vulnerability allows anyone who can connect to
port 135 TCP to disable the RPC service. Disabling the RPC service
causes the machine to stop responding to new RPC requests, disabling
almost all functionality.

This is a Denial Of Service via a null pointer dereference, and not
exploitable to gain permissions on the remote machine. A proof of
concept is available at http://www.immunitysec.com/vulnerabilities/

This proof of concept Linux executable is derived from SPIKE 2.7
source code. Simply running SPIKE 2.7's msrpcfuzz is also known to
replicate this problem.

Alleviation:

Block port tcp/135 from network connections. There are also
configuration changes that can make you immune to this attack, but
these are not completely known at this time.


-- 
Dave Aitel <dave@immunitysec.com>
Immunity, Inc