Multiple Remote DoS vulnerabilities in Microsoft DCE/RPC deamons

[Todd Sabin <tsabin () razor bindview com>]

BindView Security Advisory
--------

Multiple Remote DoS vulnerabilities in Microsoft DCE/RPC deamons
Issue Date: July 30, 2001
Contact:  tsabin () razor bindview com

Topic:
Many Microsoft DCE/RPC servers are vulnerable to remote DoS attacks

Overview:
Many DCE/RPC servers don't do proper parameter validation, and can
be crashed by sending an improperly formatted request.

Affected Systems:

At least the following services are known to be affected.  More
servers are likely to be vulnerable.  For a complete list of what
Microsoft has patched, see their security bulletin mentioned below.

W2K SCM             (services.exe)
NT4 SCM             (services.exe)
NT4 LSA             (lsass.exe)
NT4 Endpoint mapper (Rpcss.exe)
W2K Endpoint mapper (svchost.exe (fixed by ms00-066))
SQL Server 7        (sqlservr.exe)
W2K's DHCP Server
W2K's IIS Server    (inetinfo.exe)
Exchange 5.5 SP3    (STORE.exe)
Exchange 5.5 SP3    (MAD.exe)
NT4 Spooler         (spoolss.exe)
W2K License Srv     (llssrv.exe)
NT4 License Srv     (llssrv.exe)

Impact: 

An unauthenticated remote attacker that can talk to the endpoint on
which the server is listening can crash the server.  In some cases,
the servers may either restart themselves, or be restarted by the OS.

Details:

By sending successively larger and larger requests containing nothing
but nulls to every operation on every interface supported by a DCE/RPC
server, it's often possible to find a particular request that will
crash a server.  Note that it's not technically necessary to run
through every possible request to crash a given server.  Each server
has a particular request (or requests) which crashes it.  Once the
proper request has been found by grinding through all the
possibilities, only that request is needed to crash the server.

The exact endpoints on which a server listens will vary from service
to service.  Many listen on named pipes, which are accessible via TCP
port 139 or (on W2K) 445.  Other services, e.g. Exchange, typically
listen on both TCP and UDP ports above 1024.  Those services which do
not listen on named pipes can usually be enumerated via the endpoint
mapper, using rpcdump.  rpcdump comes with the NT resource kit.  A
free version is also available on the RAZOR web site in the rpctools
package.

If COM Internet Services has been installed and enabled, then these
attacks may be possible over port 80, as well.  This is not a default
configuration, however.


Workarounds:
Firewall off as much as possible.

Recommendations:
Install the appropriate patches from Microsoft.
Do not install COM Internet Services.

References:
Microsoft's security bulletin:
http://www.microsoft.com/technet/security/bulletin/MS01-041.asp

Microsoft's patches:
The patches vary, depending upon the service.  See the security bulletin
for details.

Microsoft's Knowledge Base article:
http://support.microsoft.com/support/kb/articles/Q298/0/12.ASP