Microsoft Security Bulletin MS01-048 - Critical
Malformed Request to RPC Endpoint Mapper can Cause RPC Service to Fail
Published: September 10, 2001 | Updated: May 09, 2003
Originally posted: September 10, 2001
Updated: May 09, 2003
Who should read this bulletin:
System administrators using Microsoft® Windows NT® 4.0
Impact of vulnerability:
Denial of service.
System administrators should apply the patch to servers that offer RPC-based services.
- Microsoft Windows NT 4.0
The RPC endpoint mapper allows RPC clients to determine the port number currently assigned to a particular RPC service. The Windows NT 4.0 endpoint mapper contains a flaw that causes it to fail upon receipt of a request that contains a particular type of malformed data.
Because the endpoint mapper runs within the RPC service itself, exploiting this vulnerability would cause the RPC service itself to fail, with the attendant loss of any RPC-based services the server offers, as well as potential loss of some COM functions. Normal service could be restored by rebooting the server.
- Standard security recommendations call for port 135 - the port on which the RPC endmapper operates - to be blocked at the firewall. If this were done, Internet-based attackers would not be able to exploit this vulnerability.
Vulnerability identifier: CAN-2001-0662
Microsoft tested Windows NT 4.0, Windows 2000, and Windows XP to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.
What's the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who successfully exploited it would be able to prevent an affected server from providing useful service to users in some cases. If a firewall the follows normal practices is in place, the chief threat posed by this vulnerability would be from internal attacks. Normal service could be restored by rebooting the system.
What causes the vulnerability?
The vulnerability results because the Windows NT 4.0 RPC service will fail if the endpoint mapper is sent a request that contains a particular type of malformed data.
What is RPC?
RPC (Remote Procedure Call) is a technology that's used extensively to support distributed applications -- that is, applications whose various components are located on different computers. The primary purpose of RPC is to provide a way for the components to communicate with each other. This allows the components to levy requests on each other and communicate the results of these requests.
What's the RPC endpoint mapper?
Every RPC service that uses IP based protocol uses a TCP or UDP port to communicate with its clients. However, in most cases, ports are assigned to RPC services dynamically. As a result, an RPC service that's available on two different machines may use a different port on each. Likewise, an RPC service on a single machine may use a different port every time the machine is rebooted. There has to be a way for clients to find the right port for a particular RPC service on a particular machine.
This is what the RPC endpoint mapper service does. Before starting a session with an RPC service, a client first consults the endpoint mapper service on the server to determine the port over which the service currently operates. It then begins communicating directly with the service.
What's wrong with the RPC endpoint mapper?
If a query to the Windows NT 4.0 RPC endpoint mapper service contains a particular type of malformed data, the service will fail. Because the endpoint mapper runs as part of the RPC service, this would cause the entire RPC service to fail.
What could an attacker use this vulnerability to do?
An attacker could use this vulnerability to prevent a server from offering any RPC-based services.
What are some examples of services that might be affected by an attack?
In general, any service that operates over RPC would be disrupted by such an attack. Products like Exchange and SQL Server offer their primary services via RPC, so such an attack would make them unavailable. On the other hand, IIS only offers management functions via RPC, so it would continue offering web services even after such an attack.
Who could exploit this vulnerability?
Any user who could send data to port 135 - the port on which the endpoint mapper runs - could potentially exploit the vulnerability.
Could an attacker exploit this vulnerability from the Internet?
Standard firewalling practices strongly recommend that port 135 be blocked. If this has been done, an Internet-based attacker could not exploit the vulnerability.
If an attacker did exploit the vulnerability, what would be needed to restore normal service?
The administrator would need to reboot the server.
I have a Windows NT 4.0 workstation. Should I apply the patch?
Unless you are offering RPC-based services via the workstation (which is rarely the case), you would not need to apply the patch.
I have a Windows NT 4.0 server. Should I apply the patch?
If you are not offering any RPC-base services via the server, you do not need the patch. However, if your server does offer RPC-based services, you should apply the patch.
Is Windows 2000 affected by the vulnerability?
No. Customers using Windows 2000 do not need to take any action.
Is Windows XP affected by the vulnerability?
No. Customers using Windows XP do not need to take any action.
What does the patch do?
The patch eliminates the vulnerability by causing the Windows NT 4.0 endpoint mapper to reject requests containing the malformation at issue here.
Download locations for this patch
- Windows NT 4.0 Workstation, Windows NT 4.0 Server, and Windows NT 4.0 Server, Enterprise Edition:
- Windows NT 4.0 Server, Terminal Server Edition:
To be released shortly
Additional information about this patch
This patch can be installed on systems running Windows NT 4.0 Service Pack 6a.
Inclusion in future service packs:
No future service packs are planned for Windows NT 4.0.
Reboot needed: Yes
Superseded patches: None.
Verifying patch installation:
- To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
- To verify the individual files, consult the file manifest in Knowledge Base article Q305399.
Localized versions of this patch are available at the locations discussed in "Obtaining other security patches".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Microsoft Knowledge Base article Q305399 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (September 10, 2001): Bulletin Created.
- V1.1 (May 09, 2003): Updated download links to Windows Update.
Built at 2014-04-18T13:49:36Z-07:00