Microsoft Security Bulletin MS03-010: Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks (331953)

2003-03-27T00:00:00
ID SECURITYVULNS:DOC:4286
Type securityvulns
Reporter Securityvulns
Modified 2003-03-27T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE-----


Title: Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks (331953) Date: 26 March 2003 Software: Microsoft(r) Windows(r) NT 4.0, Windows 2000, or Windows XP Impact: denial of service Max Risk: Important Bulletin: MS03-010

Microsoft encourages customers to review the Security Bulletins at:

http://www.microsoft.com/technet/security/bulletin/MS03-010.asp http://www.microsoft.com/security/security_bulletins/ms03-010.asp


Issue:

Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the OSF (Open Software Foundation) RPC protocol, but with the addition of some Microsoft specific extensions.

There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerabilty affects the RPC Endpoint Mapper process, which listens on TCP/IP port 135. The RPC endpoint mapper allows RPC clients to determine the port number currently assigned to a particular RPC service.

To exploit this vulnerability, an attacker would need to establish a TCP/IP connection to the Endpoint Mapper process on a remote machine. Once the connection was established, the attacker would begin the RPC connection negotiation before transmitting a malformed message. At this point, the process on the remote machine would fail. The RPC Endpoint Mapper process is responsible for maintaining the connection information for all of the processes on that machine using RPC. Because the Endpoint Mapper runs within the RPC service itself, exploiting this vulnerability would cause the RPC service to fail, with the attendant loss of any RPC-based services the server offers, as well as potential loss of some COM functions.

Microsoft has provided patches with this bulletin to correct this vulnerability for Windows 2000 and Windows XP. Although Windows NT 4.0 is affected by this vulnerability, Microsoft is unable to provide a patch for this vulnerability for Windows NT 4.0. The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability. Windows NT 4.0 users are strongly encouraged to employ the workaround discussed in the FAQ in the bulletin, which is to protect the NT 4.0 system with a firewall that blocks Port 135.

Mitigating Factors:

    • To exploit this vulnerability, the attacker would require the ability to connect to the Endpoint Mapper running on the target machine. For intranet environments, the Endpoint Mapper would normally be accessible, but for Internet connected machines, the port used by the Endpoint Mapper would normally be blocked by a firewall. In the case where this port is not blocked, or in an intranet configuration, the attacker would not require any additional privileges.
    • Best practices recommend blocking all TCP/IP ports that are not actually being used. For this reason, most machines attached to the Internet should have port 135 blocked. RPC over TCP is not intended to be used in hostile environments such as the internet.
    • More robust protocols such as RPC over HTTP are provided for hostile environments. To learn more about securing RPC for client and server please refer to http://msdn.microsoft.com/library/default.asp?url=/library/en- us/rpc/rpc/writing_a_secure_rpc_client_or_server.asp. To learn more about the ports used by RPC, please refer to http://www.microsoft.com/technet/prodtechnol/windows2000serv/res kit/tcpip/part4/tcpappc.asp
    • This vulnerability only permits a denial of service attack and does not provide an attacker with the ability to

Risk Rating:

Important

Patch Availability:

A patch is available to fix this vulnerability. Please read the Security Bulletins at

http://www.microsoft.com/technet/security/bulletin/ms03-010.asp http://www.microsoft.com/security/security_bulletins/ms03-10.asp

for information on obtaining this patch.

Acknowledgment:

  • Microsoft thanks jussi jaakonaho for reporting this issue to us and working with us to protect customers

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE----- Version: PGP 7.1

iQEVAwUBPoHxjY0ZSRQxA/UrAQFF0ggAnL7ZKOFPi/iHRGvKYnkMcvWHkbMOVXIt i54N1mlJT+xgdABVPPRSn5WlBcJgLoEhTNrvS/FNCPILDqbtLbn+STmESFthYCOd iuQEOX+/CnIer/w/joxztv43M02lAKIA8qdJyAfFGYg2kNuFAjYuxvjK7+GCoIrE MPISW163Xb/MN/Xm2AqmYuxlzovvCzyVJ2kWSbh7CamKgrgq8GaUfh7LeqzIlPP8 5pDTZbXYZhxjs+mSH7xCE+U0WkZhsWqnR1OOTwPo/OOBIdYMcLqXdsm5QAqqaFF5 NOBb1k/OFFMlKZJMs6lCaZ6x2FGiAf1HBYEanYhypGdJQC/zoWM6MA== =f12Q -----END PGP SIGNATURE-----


You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service. For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.

To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.

To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp

If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described below: Reply to this message with the word UNSUBSCRIBE in the Subject line.

For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.