Microsoft Security Bulletin MS03-010
Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks (331953)
Originally posted: March 26, 2003
Updated: May 13, 2003
Summary
Who should read this bulletin:
Customers using Microsoft® Windows® NT 4.0, Windows 2000, or Windows XP
Impact of vulnerability:
Denial of Service
Maximum Severity Rating:
Important
Recommendation:
Customers should install the patch at the earliest opportunity
Affected Software:
- Microsoft Windows NT 4
- Microsoft Windows 2000
- Microsoft Windows XP
General Information
Technical details
Technical description:
Note:
Application of this security patch has been reported to, in some specific configurations, cause local COM calls to stop responding. This problem occurs only when several local RPC calls are made quickly from multiple threads, and each thread has a unique set of security credentials. A supported fix is now available from Microsoft. For additional information on this, and details of obtaining a fix, please see Microsoft Knowledge Base Article 814119.
Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the OSF (Open Software Foundation) RPC protocol, but with the addition of some Microsoft specific extensions.
There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerabilty affects the RPC Endpoint Mapper process, which listens on TCP/IP port 135. The RPC endpoint mapper allows RPC clients to determine the port number currently assigned to a particular RPC service.
To exploit this vulnerability, an attacker would need to establish a TCP/IP connection to the Endpoint Mapper process on a remote machine. Once the connection was established, the attacker would begin the RPC connection negotiation before transmitting a malformed message. At this point, the process on the remote machine would fail. The RPC Endpoint Mapper process is responsible for maintaining the connection information for all of the processes on that machine using RPC. Because the Endpoint Mapper runs within the RPC service itself, exploiting this vulnerability would cause the RPC service to fail, with the attendant loss of any RPC-based services the server offers, as well as potential loss of some COM functions.
Microsoft has provided patches with this bulletin to correct this vulnerability for Windows 2000 and Windows XP. Although Windows NT 4.0 is affected by this vulnerability, Microsoft is unable to provide a patch for this vulnerability for Windows NT 4.0. The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability. Windows NT 4.0 users are strongly encouraged to employ the workaround discussed in the FAQ below, which is to protect the NT 4.0 system with a firewall that blocks Port 135.
Mitigating factors:
- To exploit this vulnerability, the attacker would require the ability to connect to the Endpoint Mapper running on the target machine. For intranet environments, the Endpoint Mapper would normally be accessible, but for Internet connected machines, the port used by the Endpoint Mapper would normally be blocked by a firewall. In the case where this port is not blocked, or in an intranet configuration, the attacker would not require any additional privileges.
- Best practices recommend blocking all TCP/IP ports that are not actually being used. For this reason, most machines attached to the Internet should have port 135 blocked. RPC over TCP is not intended to be used in hostile environments such as the internet. More robust protocols such as RPC over HTTP are provided for hostile environments. To learn more about securing RPC for client and server please refer to http://msdn2.microsoft.com/en-us/library/Aa379441. To learn more about the ports used by RPC, please refer to http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cnfc_por_simw.mspx?mfr=true
- This vulnerability only permits a denial of service attack and does not provide an attacker with the ability to modify or retrieve data on the remote machine.
Severity Rating:
| Windows NT 4.0 | Important |
| Windows NT 4.0, Terminal Server Edition | Important |
| Windows 2000 | Important |
| Windows XP | Important |
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2002-1561
Tested Versions:
Microsoft tested Windows NT 4.0, Windows 2000 and Windows XP to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.
Frequently asked questions
If Windows NT 4.0 is listed as an affected product, why is Microsoft not issuing a patch for it?
During the development of Windows 2000, significant enhancements were made to the underlying architecture of RPC. In some areas these changes involved making fundamental changes to the way the RPC server software was built. The Windows NT 4.0 architecture is much less robust than the more recent Windows 2000 architecture, Due to these fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability. To do so would require rearchitecting a very significant amount of the Windows NT 4.0 operating system, and not just the RPC component affected. The product of such a rearchitecture effort would be sufficiently incompatible with Windows NT 4.0 that there would be no assurance that applications designed to run on Windows NT 4.0 would continue to operate on the patched system.
Microsoft strongly recommends that customers still using Windows NT 4.0 protect those systems by placing them behind a firewall which is filtering traffic on Port 135. Such a firewall will block attacks attempting to exploit this vulnerability, as discussed in the workarounds section below.
Will Microsoft issue a patch for Windows NT 4.0 sometime in the future?
Microsoft has extensively investigated an engineering solution for NT 4.0 and found that the Windows NT 4.0 architecture will not support a fix to this issue, now or in the future.
What's the scope of this vulnerability?
This is a denial of service vulnerability. An attacker who successfully exploited this vulnerability could cause a remote computer to fail. However, the attacker could not modify or retrieve data or execute code of his or her choice on the remote machine.
To carry out such an attack, an attacker would require the ability to make a TCP/IP connection to the Endpoint Mapper running on the target machine. Once a TCP connection had been made, the attacker could send a malformed message to the RPC service and thereby cause the target machine to fail.
The best defense against remote RPC attacks from the Internet is to configure the firewall to block port 135. RPC over TCP is not intended to be used across hostile environments such as the Internet
What causes the vulnerability?
The vulnerability results because the Windows RPC Endpoint Mapper does not properly check message inputs under certain circumstances. If an attacker were to send a certain type of malformed RPC message after RPC established a connection, that could cause the RPC Endpoint Mapper process on the remote machine to fail. This process is responsible for maintaining the connection information of all the processes on that machine using RPC. Because the endpoint mapper runs within the RPC service itself, exploiting this vulnerability would cause the RPC service itself to fail, with the attendant loss of any RPC-based services the server offers, as well as potential loss of some COM functions.
What is RPC (Remote Procedure Call)?
Remote Procedure Call (RPC) is a protocol that a program can use to request a service from a program located on another computer in a network. RPC helps with interoperability because the program using RPC does not have to understand the network protocols that are supporting communication. In RPC, the requesting program is the client and the service-providing program is the server.
What is the RPC endpoint mapper?
The RPC endpoint mapper allows RPC clients to determine the port number currently assigned to a particular RPC service. An endpoint is a protocol port or named pipe on which the server application listens to for client remote procedure calls. Client/server applications can use either well-known or dynamic ports.
What's wrong with Microsoft's implementation of Remote Procedure Call (RPC)?
There is a flaw in the part of RPC that deals with message exchange over TCP/IP. A failure results because of incorrect handling of malformed messages. This particular failure affects the RPC Endpoint Mapper process, which listens on TCP/IP port 135. The RPC Endpoint Mapper allows RPC clients to determine the port number currently assigned to a particular RPC service. By sending a malformed RPC message, an attacker could the RPC service on a machine to fail.
What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker who could send RPC messages to the RPC Endpoint Mapper process on a server to launch a denial of service attack. Even though an attacker could cause machines to fail, it would not be possible to modifiy or retrieve data or execute code.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by programming a machine that could communicate with a vulnerable server over TCP port 135 to send a specific kind of malformed RPC message. Receipt of such a message could cause the RPC service on the vulnerable machine to fail.
What does the patch do?
The patch eliminates the vulnerability by correctly verifying the format of messages that are received via TCP/IP. This verification permits the RPC Endpoint Mapper to reject malformed messages.
Workarounds
I'm unable to install the patch for this vulnerability immediately. Is there anything I can do to protect myself from attempts to exploit this vulnerability?
Microsoft recommends the following workarounds:
- BlockPort 135 at your firewall. Port 135 is used to initiate an RPC connection with the RPC Endpoint Mapper service. Blocking Port 135 at the firewall will prevent systems behind that firewall from being attacked by attempts to exploit this vulnerability. However to ensure that those systems cannot be attacked by systems behind the firewall, you should still consider applying the patch.
- Internet Connection Firewall. If you are using the Internet Connection Firewall in Windows XP to protect your Internet connection, it will by default block inbound RPC traffic.
Patch availability
Download locations for this patch
- Microsoft Windows 2000
- Windows XP
Additional information about this patch
Installation platforms:
- The Windows 2000 patch can be installed on systems running Windows 2000 Service Pack 2 or Service Pack 3
- The patch for Windows XP can be installed on systems running Windows XP Gold or Service Pack 1.
Inclusion in future service packs:
The fix for this issue will be included in Service pack 4 for Windows 2000 and Service pack 2 for Windows XP
Reboot needed: Yes
Patch can be uninstalled: yes
Superseded patches: None.
Verifying patch installation:
- Windows 2000:
To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\ Q331953
To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\ Q331953\Filelist.
- Windows XP:
- If installed on Windows XP Gold:
To verify that the patch has been installed, confirm that the following registry key has been created on the machine: HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q331953.
To verify the individual files, use the date/time and version information provided in the following registry key: HKLM\Software\Microsoft\Updates\Windows XP\SP1\ Q331953\Filelist.
- If installed on Windows XP Service Pack 1:
To verify that the patch has been installed, confirm that the following registry key has been created on the machine: HKLM\Software\Microsoft\Updates\Windows XP\SP2\Q331953.
To verify the individual files, use the date/time and version information provided in the following registry key: HKLM\Software\Microsoft\Updates\Windows XP\SP2\Q331953\Filelist.
- If installed on Windows XP Gold:
Caveats:
Microsoft tested Windows NT 4.0 and Windows NT 4.0 Terminal Server Edition. These platforms are vulnerable to the denial of service attack however due to architectural limitations it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability.
Application of this security patch has been reported to, in some specific configurations, cause local COM calls to stop responding. This problem occurs only when several local RPC calls are made quickly from multiple threads, and each thread has a unique set of security credentials. A supported fix is now available from Microsoft. For additional information on this, and details of obtaining a fix, please see Microsoft Knowledge Base Article 814119.
Localization:
Localized versions of this patch are available at the locations discussed in "Patch Availability".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
- Patches for consumer platforms are available from the WindowsUpdate web site
Other information:
Acknowledgments
Microsoft thanks jussi jaakonaho for reporting this issue to us and working with us to protect customers.
Support:
- Microsoft Knowledge Base article 331953 discusses this issue. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
- V1.0 (March 26, 2003): Bulletin Created.
- V1.1 (May 13, 2003): Bulletin updated to include information and link to Microsoft Knowledge Base Article 814119, for customers experiencing technical problems after installing this patch.