5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.563 Medium
EPSS
Percentile
97.7%
The RPC service in Microsoft Windows NT 4.0, 2000, and XP can be terminated by a specially crafted RPC message. A remote attacker could cause a denial of service.
According to Microsoft Security Bulletin MS03-010, “Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system.”
A vulnerability exists in a part of the RPC service called the RPC Endpoint Mapper. The RPC Endpoint Mapper listens for network requests (135/tcp), provides clients with port numbers for RPC services, and maintains information about RPC connections. According to a report from Immunity Security, vulnerable code in the RPC Endpoint Mapper dereferences a NULL pointer when processing a malformed RPC message.
An unauthenticated, remote attacker could cause the RPC Endpoint Mapper to terminate, denying service to legitimate users. Since the RPC Endpoint Mapper is part of the RPC service, “…exploiting this vulnerability would cause the RPC service to fail, with the attendant loss of any RPC-based services the server offers, as well as potential loss of some COM functions.”
Once the RPC service has been terminated, an attacker may be able to take control over an orphaned named pipe and gain the privileges of the RPC service (Local System).
Apply Patch
Apply the appropriate patch (Q331953) as specified in MS03-010. Microsoft notes that a patch will not be produced for Windows NT 4.0 or Windows NT 4.0 Terminal Server Edition.
The patches may cause local COM calls to fail, which could affect ASP/COM+ applications. See Microsoft Knowledgebase Article 814119 for more information.
Block or Restrict Access
Block or restrict access to the RPC Endpoint Mapper service (135/tcp) from untrusted networks such as the Internet.
261537
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: March 26, 2003
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Please see MS03-010.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23261537 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
This vulnerability was publicly reported by Dave Aitel of Immunity Security.
This document was written by Art A Manion.
CVE IDs: | CVE-2002-1561 |
---|---|
Severity Metric: | 23.69 Date Public: |
msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/how_rpc_works.asp
support.microsoft.com/?kbid=814119
support.microsoft.com/default.aspx?scid=kb;en-us;331953
www.immunitysec.com/vulnerabilities/Immunity_svchost_DoS.txt
www.microsoft.com/technet/security/bulletin/MS03-010.asp
www.securityfocus.com/archive/1/296114
www.securityfocus.com/bid/6005
www.securityfocus.com/bid/6769