What's the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could cause the Locator service to fail, or could cause code of the attacker's choice to be executed with system privileges.
The Locator service is not enabled by default except on Windows 2000 domain controllers and Windows NT 4.0 domain controllers. A properly-configured firewall would block the calls to the Locator service, which would protect an affected machine from an Internet-based attack.
What causes the vulnerability?
The vulnerability results because of an unchecked buffer in the Microsoft Locator service. If the Locator service was called using a specially malformed argument, it could have the effect of overrunning the buffer.
What is the Locator service?
The Microsoft Locator service is a name service that maps names to objects. The name is a logical name that is easy for users to recognize and use. The Locator service ships with Windows NT 4.0, Windows 2000, and Windows XP.
What is the Locator service used for?
A client that is going to make a Remote Procedure Call (RPC) can call the Locator service to resolve a logical name for a network object to a network-specific name for use in the RPC. For example, if a print server has the logical name "laserprinter", an RPC client could call the Locator service to find out the network-specific name that mapped to "laserprinter". The RPC client uses the network-specific name when it makes the RPC call to the service.
By default, the Locator service is only enabled on Windows 2000 domain controllers and Windows NT 4.0 domain controllers. An administrator could enable the Locator service on any Windows NT 4.0, Windows 2000, or Windows XP system.
What is a Remote Procedure Call?
A Remote Procedure Call is an interprocess communication technique which allows client/server software to communicate. RPC can be used in client/server applications based on Microsoft Windows operating systems and can also be used in heterogeneous network environments that include other operating systems.
What's wrong with Locator service?
There is a flaw in the way the Locator service handles certain parameter information that is passed to it. Specially malformed parameter data could be passed to the Locator service and could cause a buffer to be overrun.
What could this vulnerability enable an attacker to do?
If an attack were successful, this vulnerability could enable an attacker to cause the Locator service to fail, or to be able to run code on the system.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by forming an RPC call that would employ the Locator service to resolve a logical name, and using the RPC call to pass specially malformed data.
Because a properly configured firewall that blocked NetBIOS traffic would block access to the Locator service from the Internet, a successful attack would need to be launched from an organization's internal network.
Does the Locator service require authentication?
No, the system making the RPC request does not have to be authenticated by the system running the Locator service.
Could this vulnerability be exploited from the Internet?
A properly-configured firewall would block the calls to the Locator service, which would protect an affected machine from an Internet-based attack. An attacker would be much more likely to attempt to exploit this vulnerability from an organization's internal network.
How do I tell if the Locator service is enabled?
The status of the "Remote Procedure Call (RPC) Locator" service and how it is started (automatically or manually) can be viewed in the Control Panel. For Windows 2000 and Windows XP, use Control Panel | Administrative Tools | Services, and on Windows NT 4.0, use Control Panel | Services.
It is also possible to determine the status of the Locator service from the command line by entering:
net start
A list of services will be displayed. If "Remote Procedure Call (RPC) Locator" appears in the list, then the locator service is running.
Are there any applications that enables the locator service on member servers?
Yes - There are several applications, for example Microsoft Exchange Server, that enable the locator service on member servers. Microsoft recommends customers to install the patch at their earliest opportunity on all systems that have the locator service enabled.
If I am not using the Locator service, can I disable it?
Yes. An administrator can disable the Locator service by setting the RpcLocator service status to "disabled" in the services control panel.
The service can also be stopped via the command line using the sc.exe program, which ships with Windows XP and is included as part of the Windows 2000 Resource Kit. The following command will stop the service:
sc stop RpcLocator
To disable the service using the command line tool, use the following:
sc config RpcLocator start= disabled
What systems would be at greatest risk from this vulnerability?
Only Windows 2000 domain controllers and Windows NT 4.0 domain controllers have the Locator service enabled by default, so those would be the systems at greatest risk. The Locator service can be enabled on Windows NT 4.0, Windows NT 4.0, Terminal Server Edition, Windows 2000, and Windows XP.
What does the patch do?
The patch addresses the vulnerability by correctly handling the information passed to the RPC Locator service.
