Microsoft Security Bulletin MS01-041
Malformed RPC Request Can Cause Service Failure
Originally posted: July 26, 2001
Updated: April 13, 2004
Version: 2.0
Summary
Who should read this bulletin:
System administrators using Microsoft® Windows NT® 4.0, Windows® 2000, SQL Server™, or Exchange Server.
Impact of vulnerability:
Denial of service
Recommendation:
System administrators consider applying the patches for any affected products they have installed.
Affected Software:
- Microsoft Exchange Server 5.0
- Microsoft Exchange Server 5.5
- Microsoft Exchange 2000 Server
- Microsoft SQL Server 7.0
- Microsoft SQL Server 2000
- Microsoft Windows NT 4.0
- Microsoft Windows 2000
General Information
Technical details
Technical description:
Subsequent to the release of this bulletin, it was determined that the vulnerability addressed also affects Exchange Server 5.0. Microsoft has updated the bulletin with additional information about Exchange Server 5.0 and also to direct users to a security update for this additional affected platform. This security update for Exchange 5.0 is a cumulative rollup package that also addresses the vulnerabilities discussed in MS00-082 and MS03-046. You need only install this security update once to be protected against all three vulnerabilities.
Several of the RPC servers associated with system services in Microsoft Exchange Server, SQL Server, Windows NT 4.0 and Windows 2000 do not adequately validate inputs, and in some cases will accept invalid inputs that prevent normal processing. The specific input values at issue here vary from RPC server to RPC server.
An attacker who sent such inputs to an affected RPC server could disrupt its service. The precise type of disruption would depend on the specific service, but could range in effect from minor (e.g., the service temporarily hanging) to major (e.g., the service failing in a way that would require the entire system to be restarted).
Mitigating factors:
- Proper firewalling would help minimize an affected system's exposure to attack by Internet-based users. In general, a firewall should block access to all RPC services except those that are specifically intended for use by untrusted users.
Vulnerability identifier: CAN-2001-0509
Tested Versions:
Microsoft tested the following products to assess whether they are affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability.
- Microsoft Exchange Server 5.0
- Microsoft Exchange Server 5.5
- Microsoft Exchange 2000 Server
- Microsoft SQL Server 7.0
- Microsoft SQL Server 2000
- Microsoft Windows NT 4.0
- Microsoft Windows 2000
Frequently asked questions
Why is Microsoft reissuing this bulletin?
Subsequent to the release of this bulletin, it was determined that the vulnerability addressed also affects Exchange Server 5.0. Microsoft has updated the bulletin with additional information about Exchange Server 5.0 and also to direct users to an update for this additional affected platform. This update for Exchange 5.0 is a cumulative rollup package that also addresses the vulnerabilities in discussed in MS00-082 and MS03-046. You need only install this security update once to be protected against all three vulnerabilities.
What's the scope of this vulnerability?
This is a denial of service vulnerability. By sending a specially malformed request to an affected system, an attacker could disrupt its ability to service legitimate users' requests.
The effect of exploiting this vulnerability would vary widely, depending on the particular request, and which of the affected services the attacker could send it to. If best practices have been followed, an attacker on the Internet would be unable to send such a request to any of the affected services.
What causes the vulnerability?
The vulnerability results because of mismatches between the interface definitions in several RPC server stubs and the input validation code in the associated servers. In the affected servers, certain inputs aren't validated prior to use, with the result that inputs that are permissible per the interface definitions but which nevertheless are invalid could be used to disrupt the server operation.
What is RPC?
RPC (Remote Procedure Call) is a technology that's used extensively to support distributed applications -- that is, applications whose various components are located on different computers. The primary purpose of RPC is to provide a way for the components to communicate with each other. This allows the components to levy requests on each other and communicate the results of these requests.
What's an RPC server stub?
The overall goal of RPC is to mask the fact that the client and server components reside on different machines, and instead make it appear that both are running on the local machine. This is accomplished through the use of stubs. On the client system, a stub (known as the client stub) makes it appear that the server component resides on the client machine. Likewise, on the server system, a stub (known as the server stub) makes it appear that the client component resides on the server machine.
When the client component levies a request to the client stub, the stub packages the request in an RPC message and sends it to the server machine. The server stub unpackages the request and passes it to the server component, which acts on the request. If the server needs to send a response, it sends it to the server stub, which then packages the response in an RPC message and sends it to the client machine. The client stub then unpackages the response and passes it to the client component.
What's wrong with RPC?
The problem doesn't lie in the RPC architecture, but rather in the implementation of several RPC servers. The server stub advertises an interface definition, but the servers don't always validate the inputs they receive correctly.
What's an interface definition?
An interface definition can be thought of as a template that all requests to a particular server must conform to. For instance, an interface definition for a particular RPC server might indicate that there are five parameters that must be included in a request, and that all of them must be integers. A request that doesn't adhere to the interface definition won't be accepted by the server stub.
The problem is that even a request that conforms to the interface definition may not be valid. For instance, even though an interface definition may require an integer as an input, there may be values that the server code cannot process. It's the responsibility of the server code to check all inputs to make sure they have acceptable values. This vulnerability results because some RPC servers associated with system services in Exchange, SQL, Windows NT 4.0 and Windows 2000 don't do this.
What would be the result if someone sent an invalid request to such a server?
It would depend on the specific server at issue, and how it handles the specific request included in the RPC message. In some cases, the request might have little or no lasting effect on the system service. In others, the request could cause the service could fail with no effect on the overall system. In others, the service could fail in a way that destabilizes the overall system and requires the machine to be restarted.
How might an attacker exploit this vulnerability?
As a general statement, an attacker might exploit this vulnerability as a means of preventing the server from providing useful service. However, the specific effects he could cause would vary dramatically on a machine-by-machine basis. As we discussed above, different services are affected in different ways by this vulnerability.
The damage an attacker could cause via this vulnerability would be heavily dependent on exactly which services he could send malformed requests to. In some cases, the attacker might be able to deny particular services to legitimate users. In others, it could be possible to cause an affected system to fail altogether and require rebooting.
What would determine which services the attacker could send malformed requests to?
The most important factor would be which services are installed on the machine. For instance, if neither Exchange Server nor SQL Server were installed on the machine, the attacker clearly wouldn’t be able to exploit any of the vulnerabilities in those services.
Could a firewall prevent an Internet-based attacker from exploiting the vulnerability?
Yes. If the port on which an affected RPC server listens is blocked, an Internet-based attacker wouldn't be able to deliver requests to the server, and would therefore be unable to exploit the vulnerability.
What does the patch do?
The patch eliminates the vulnerability by introducing proper validation checking into the affected RPC servers.
Patch availability
Download locations for this patch
- Exchange Server 5.0:
- Exchange Server 5.5:
- Exchange 2000 Server:
Also included in Exchange 2000 Server Service Pack 1.
- SQL Server 7.0:
Also included in SQL Server 7.0 Service Pack 3.
- SQL Server 2000:
Also included in SQL Server 2000 Service Pack 1.
- Windows NT 4.0:
Included in the Windows NT 4.0 Security Roll-up
- Windows NT 4.0 Server, Terminal Server Edition:
Included in the Windows NT 4.0 Terminal Server Edition Security Roll-up
- Windows 2000:
- Windows 2000 Datacenter Server:
Patches for Windows 2000 Datacenter Server are hardware-specific and available from the original equipment manufacturer.
Additional information about this patch
Installation platforms:
- The patch for Exchange Server 5.0 can be installed on systems running Exchange Server 5.0 Service Pack 2.
- The patch for Exchange Server 5.5 can be installed on systems running Exchange Server 5.5 Service Pack 4.
- The SQL Server 7.0 and SQL Server 2000 patch can be installed here: http://technet.microsoft.com/en-us/sqlserver/bb331729.aspx.
- The patch for SQL Server 2000 can be installed on systems running SQL Server 2000 Gold.
- The Windows NT 4.0 Security Roll-up Package can be installed on systems running Windows NT 4.0 Service Pack 6a.
- The patch for Windows 2000 can be installed on systems running Windows 2000 Service Pack 1 or Service Pack 2.
Inclusion in future service packs:
- The fix for the Exchange 2000 Server issues is included in Exchange 2000 Server Service Pack 1.
- The fix for the SQL Server 7.0 issues is included in SQL Server 7.0 Service Pack 3.
- The fix for the SQL Server 2000 issues is included in SQL Server 2000 Service Pack 1.
- The fix for the Windows NT 4.0 issues is included in the Windows NT 4.0 security roll-up.
- The fix for the Windows 2000 issues will be included in Windows 2000 Service Pack 3.
Reboot needed: Yes
Superseded patches:
- The patch for Exchange Server 5.0 does not supersede any previously released patches.
- The patch for Exchange Server 5.5 does not supersede any previously released patches.
- The patch for Exchange 2000 Server does not supersede any previously released patches.
- The patch for SQL Server 7.0 does not supersede any previously released patches.
- The patch for SQL Server 2000 does not supersede any previously released patches.
- The Windows NT 4.0 Security Roll-up Patch supersedes the patches provided in the following security bulletins:
- Microsoft Security Bulletin MS99-003.
- Microsoft Security Bulletin MS99-019.
- Microsoft Security Bulletin MS99-022.
- Microsoft Security Bulletin MS99-029.
- Microsoft Security Bulletin MS99-039.
- Microsoft Security Bulletin MS99-046.
- Microsoft Security Bulletin MS99-047.
- Microsoft Security Bulletin MS99-053.
- Microsoft Security Bulletin MS99-055.
- Microsoft Security Bulletin MS99-056.
- Microsoft Security Bulletin MS99-057.
- Microsoft Security Bulletin MS99-058.
- Microsoft Security Bulletin MS99-061.
- Microsoft Security Bulletin MS00-003.
- Microsoft Security Bulletin MS00-004.
- Microsoft Security Bulletin MS00-005.
- Microsoft Security Bulletin MS00-006.
- Microsoft Security Bulletin MS00-007.
- Microsoft Security Bulletin MS00-008.
- Microsoft Security Bulletin MS00-018.
- Microsoft Security Bulletin MS00-019.
- Microsoft Security Bulletin MS00-021.
- Microsoft Security Bulletin MS00-023.
- Microsoft Security Bulletin MS00-024.
- Microsoft Security Bulletin MS00-027.
- Microsoft Security Bulletin MS00-029.
- Microsoft Security Bulletin MS00-030.
- Microsoft Security Bulletin MS00-031.
- Microsoft Security Bulletin MS00-036.
- Microsoft Security Bulletin MS00-040.
- Microsoft Security Bulletin MS00-044.
- Microsoft Security Bulletin MS00-047.
- Microsoft Security Bulletin MS00-052.
- Microsoft Security Bulletin MS00-057.
- Microsoft Security Bulletin MS00-060.
- Microsoft Security Bulletin MS00-063.
- Microsoft Security Bulletin MS00-070.
- Microsoft Security Bulletin MS00-078.
- Microsoft Security Bulletin MS00-080.
- Microsoft Security Bulletin MS00-083.
- Microsoft Security Bulletin MS00-086.
- Microsoft Security Bulletin MS00-091.
- Microsoft Security Bulletin MS00-094.
- Microsoft Security Bulletin MS00-095.
- Microsoft Security Bulletin MS00-100.
- Microsoft Security Bulletin MS01-003.
- Microsoft Security Bulletin MS01-004.
- Microsoft Security Bulletin MS01-008.
- Microsoft Security Bulletin MS01-009.
- Microsoft Security Bulletin MS01-017.
- Microsoft Security Bulletin MS01-025.
- Microsoft Security Bulletin MS01-026.
- Microsoft Security Bulletin MS01-033.
- The patch for Windows 2000 does not supersede any previously released patches.
Verifying patch installation:
Exchange Server 5.0:
- To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Exchange Server 5.0\SP3\834130
- To verify the individual files, consult the file manifest provided in Knowledge Base article 834130.
Exchange Server 5.5:
- To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Exchange Server 5.5\SP5\Q304062.
- To verify the individual files, consult the file manifest provided in Knowledge Base article Q298012.
Exchange 2000 Server:
- To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Exchange Server 2000\SP1\Q304063.
- To verify the individual files, consult the file manifest provided in Knowledge Base article Q298012.
SQL Server 7.0:
- To verify that the patch has been installed on the machine, consult the file manifest in Knowledge Base article Q298012.
SQL Server 2000:
- To verify that the patch has been installed on the machine, consult the file manifest in Knowledge Base article Q298012.
Windows NT 4.0:
- To verify that the Security Roll-up Package has been installed on the machine, confirm that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q299444.
- To verify the individual files, consult the file manifest in Knowledge Base article Q299444.
Windows 2000:
- To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q298012.
- To verify the individual files, use the date/time and version information provided in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q298012\Filelist
Caveats:
None
Localization:
Localized versions of this patch are available at the locations discussed in "Obtaining other security patches".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
- Patches for consumer platforms are available from the Windows Update web site.
Other information:
Acknowledgments
Microsoft thanks Bindview's Razor Team for reporting this issue to us and working with us to protect customers.
Support:
- Microsoft Knowledge Base article Q298012 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
- V1.0 (July 26, 2001): Bulletin Created.
- V1.1 (April 24, 2002): Bulletin updated to advise availability of Windows NT 4.0 Server, Terminal Server Edition Security Rollup Package
- V1.2 (June 13, 2003): Updated download links to Windows Update.
- V2.0 (April 13, 2004): Bulletin updated to advise of the availability of an update for Exchange Server 5.0.