COMMAND

    RPC service

SYSTEMS AFFECTED

    Win2000

PROBLEM

    Eugene Kalinin found  following.  On  15th Aug 2000  MS refused to
    fix a security problem  in Windows 2000 RPC  service.  The bug  in
    RPC  service  allows  an  attacker  to  put  a Windows 2000 server
    out of service  over the Internet.   Following standard  practice,
    Microsoft was  notified of  the issue  four weeks  ago (July  20).
    After four  weeks of  inactivity, Microsoft  yesterday refused  to
    take any action on the issue.  Most amazingly, Microsoft  Security
    Response Team suggested to  post this information to  "a newsgroup
    or other  forums that  could give  us a  hint" about resolving the
    problem.

    A Windows  2000 Server  with Exchange  Server 5.5  co-located with
    COM Internet  Services Proxy  (a feature  that is  part of Windows
    2000 that allows  a server to  accept DCOM requests  tunneled over
    HTTP)  is  vulnerable  to  a  denial  of  service  attack over the
    Internet  on  port  80  (HTTP).   The  attack uses an undocumented
    feature  of  Microsoft  Outlook.   This  feature allows Outlook to
    connect to  an Exchange  Server over  an HTTP  connection.   It is
    believed that this  feature is undocumented  simply because MS  is
    not aware of it at all.   It is possible to specify the list  (and
    order) of RPC transport that Outlook will try while connecting  to
    the  Exchange  server.   The  list  is  stored  in  the  following
    registry key on the client:

        HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange\Exchange

    Provider,  value   Rpc_Binding_Order.   The   list  of   supported
    transports is as follows:

        Local RPC       ncalrpc
        TCP/IP          ncacn_ip_tcp
        SPX             ncacn_spx
        Named pipes     ncacn_np
        NetBIOS netbios
        VINES IP        ncacn_vns_spp

    It is not, however, documented in any of Microsoft resources, that
    Outlook  can  use  another  RPC  transport,  ncacn_http.   If  the
    registry  value  mentioned  above  contains  ncacn_http,  and  the
    Exchange server  has COM  Internet Services  Proxy installed, then
    Outlook can  connect to  the server  using http  tunneling of  RPC
    calls.

    Note 1: The client must  know the server by its  unqualified name.
            If you connect to the server over the Internet, it may  be
            required that  the server  address is  added to  the HOSTS
            file on the client.

    Note 2: This connection will  most probably not work over  a proxy
            server

    This configuration works well if the client is Windows 2000.   But
    if you try to connect from  a Win9x client (not tested with  NT4),
    the RPC Service on the  server will crash (an access  violation in
    svchost.exe will occur).  To  recover the server you will  need to
    reboot.

    The issue was tested in the following configurations:

    Server: Windows 2000 Advanced Server  SP1 with IIS and CIS  Proxy.
            Exchange Server  5.5 Enterprise  Edition SP3  plus Q248838
            fix.
    Client: Windows 95 OSR2 with IE5, Windows 98 SE, Windows 2000. The
            first two do break the server, the third doesn't.  Outlook
            97, Outlook 2000.

    Eugene Kalinin did another  test as well.   A new test on  the RPC
    vulnerability described above.   In this test the  Exchange server
    and COM Internet Services Proxy are on different machines.  He has
    set up 3  machines: one Exchange  server (Exchange 5.5  SP3 on W2K
    SP1), one CIS  Proxy server (IIS  with CIS Proxy  on W2K SP1)  and
    the Outlook  client (Win95  OSR2 with  IE5, Outlook  97).   On the
    Outlook client  the Exchange  RPC transport  is set  to ncacn_http
    (see  the  original  bulletin  for  details).   The  CIS  Proxy is
    allowed   to   connect   to   the   Exchange   server's  port  593
    (HKLM\Software\Microsoft\Rpc\RpcProxy\ValidPorts  on   CIS   Proxy
    contains "EXCHANGESERVER:593").  When Outlook tries to connect  to
    Exchange, RPC Service on the Exchange server dies as usual.

    This means that  this vulnerability does  not require an  Exchange
    server to have CIS Proxy installed.   An attacker can set up  both
    Win9x Outlook  client and  a CIS  Proxy on  his side  and crash an
    Exchange server via port 593.  Also, even when port 593 is blocked
    on the firewall, if there is a CIS Proxy behind this firewall  and
    this  CIS  Proxy  is  allowed  to  connect  to the Exchange Server
    computer, the attack may be performed on port 80.
SOLUTION

    Well, I'm not sure, but this could be it.  On 11th Sep.  Microsoft
    has released a patch  that eliminates a security  vulnerability in
    Microsoft(r) Windows 2000.  Patch availability:

        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24229

    This patch  will also  be included  in the  next Service  Pack for
    Windows 2000 -  it can be  applied to a  computer with or  without
    Service Pack 1.