Immunity Advisory to the General Public Vulnerability: RPC Service DoS (port 135/tcp) on Windows 2000 SP3 Author: Dave Aitel Date: October 18, 2002 Because the default SPIKE 2.7 run has been able to discover this vulnerability, and various people have contacted me regarding it, I offer this analysis of it to the general public. Previously, only Immunity Vulnerability Disclosure Club members were specifically informed of this vulnerability, in accordance with Immunity, Inc. policy regarding information disclosure. More information about this policy can be found at http://www.immunitysec.com/vulnshare.html Impact: Remote Windows 2000 machines with port TCP 135 open to the Internet can be disabled without authentication of any kind. Other versions of Windows may also be vulnerable. Vulnerability: The vulnerability itself is within the DCE-RPC stack of Windows 2000 and related OS's. This vulnerability allows anyone who can connect to port 135 TCP to disable the RPC service. Disabling the RPC service causes the machine to stop responding to new RPC requests, disabling almost all functionality. This is a Denial Of Service via a null pointer dereference, and not exploitable to gain permissions on the remote machine. A proof of concept is available at http://www.immunitysec.com/vulnerabilities/ This proof of concept Linux executable is derived from SPIKE 2.7 source code. Simply running SPIKE 2.7's msrpcfuzz is also known to replicate this problem. Alleviation: Block port tcp/135 from network connections. There are also configuration changes that can make you immune to this attack, but these are not completely known at this time. -- Dave Aitel Immunity, Inc