COMMAND

    Microsoft DCE/RPC

SYSTEMS AFFECTED

    Microsoft DCE/RPC

PROBLEM

    Following is based on a Microsoft Security Bulletin  MS01-041.asp.
    Several  of  the  RPC  servers  associated with system services in
    Microsoft Exchange, SQL  Server, Windows NT  4.0 and Windows  2000
    do not adequately validate inputs,  and in some cases will  accept
    invalid  inputs  that  prevent  normal  processing.   The specific
    input values at issue here vary from RPC server to RPC server.

    An attacker who sent such  inputs to an affected RPC  server could
    disrupt its service.  The precise type of disruption would  depend
    on the  specific service,  but could  range in  effect from  minor
    (e.g.,  the  service  temporarily  hanging)  to  major  (e.g., the
    service failing in a way  that would require the entire  system to
    be restarted).

    Proper  firewalling  would  help  minimize  an  affected  system's
    exposure  to  attack  by  Internet-based  users.   In  general,  a
    firewall  should  block  access  to  all RPC services except those
    that are specifically intended for use by untrusted users.

    Acknowledgment goes to Bindview's Razor Team.  Following is  their
    advisory.

    Many DCE/RPC  servers don't  do proper  parameter validation,  and
    can be crashed by sending an improperly formatted request.

    At least the  following services are  known to be  affected.  More
    servers are likely to be vulnerable.  For a complete list of  what
    Microsoft  has  patched,  see  their  security  bulletin mentioned
    above.

        W2K SCM             (services.exe)
        NT4 SCM             (services.exe)
        NT4 LSA             (lsass.exe)
        NT4 Endpoint mapper (Rpcss.exe)
        W2K Endpoint mapper (svchost.exe (fixed by ms00-066))
        SQL Server 7        (sqlservr.exe)
        W2K's DHCP Server
        W2K's IIS Server    (inetinfo.exe)
        Exchange 5.5 SP3    (STORE.exe)
        Exchange 5.5 SP3    (MAD.exe)
        NT4 Spooler         (spoolss.exe)
        W2K License Srv     (llssrv.exe)
        NT4 License Srv     (llssrv.exe)

    An unauthenticated remote attacker  that can talk to  the endpoint
    on which the server  is listening can crash  the server.  In  some
    cases, the servers may either restart themselves, or be  restarted
    by the OS.

    By  sending  successively  larger  and  larger requests containing
    nothing but nulls to every operation on every interface  supported
    by a  DCE/RPC server,  it's often  possible to  find a  particular
    request that will crash a server.  Note that it's not  technically
    necessary to run through every  possible request to crash a  given
    server.  Each server has a particular request (or requests)  which
    crashes it.   Once the proper  request has been  found by grinding
    through  all  the  possibilities,  only  that request is needed to
    crash the server.

    The  exact  endpoints  on  which  a  server listens will vary from
    service  to  service.   Many  listen  on  named  pipes,  which are
    accessible via  TCP port  139 or  (on W2K)  445.   Other services,
    e.g.  Exchange, typically listen  on both TCP and UDP  ports above
    1024.   Those  services  which  do  not  listen on named pipes can
    usually  be  enumerated  via  the  endpoint mapper, using rpcdump.
    rpcdump comes with the NT resource kit.

    If  COM  Internet  Services  has  been installed and enabled, then
    these attacks may be possible over port 80, as well.  This is  not
    a default configuration, however.

SOLUTION

    A patch is available to  fix this vulnerability.  Please  read the
    Security Bulletin:

        http://www.microsoft.com/technet/security/bulletin/ms01-041.asp

    for information on obtaining this patch.