Results 1 to 4 of 4

Thread: MS03-010 - NT/2K/XP - DoS Attack

  1. #1
    Senior Member
    Join Date
    Jun 2002

    MS03-010 - NT/2K/XP - DoS Attack

    Microsoft Security Bulletin MS03-010

    Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks (331953)


    Who should read this bulletin: Customers using Microsoft® Windows® NT 4.0, Windows 2000, or Windows XP

    Impact of vulnerability: Denial of Service

    Maximum Severity Rating: Important

    Recommendation: Customers should install the patch at the earliest opportunity

    Affected Software:

    * Microsoft Windows NT 4
    * Microsoft Windows 2000
    * Microsoft Windows XP
    Technical description:

    Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the OSF (Open Software Foundation) RPC protocol, but with the addition of some Microsoft specific extensions.

    There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerabilty affects the RPC Endpoint Mapper process, which listens on TCP/IP port 135. The RPC endpoint mapper allows RPC clients to determine the port number currently assigned to a particular RPC service.

    To exploit this vulnerability, an attacker would need to establish a TCP/IP connection to the Endpoint Mapper process on a remote machine. Once the connection was established, the attacker would begin the RPC connection negotiation before transmitting a malformed message. At this point, the process on the remote machine would fail. The RPC Endpoint Mapper process is responsible for maintaining the connection information for all of the processes on that machine using RPC. Because the Endpoint Mapper runs within the RPC service itself, exploiting this vulnerability would cause the RPC service to fail, with the attendant loss of any RPC-based services the server offers, as well as potential loss of some COM functions.

    Microsoft has provided patches with this bulletin to correct this vulnerability for Windows 2000 and Windows XP. Although Windows NT 4.0 is affected by this vulnerability, Microsoft is unable to provide a patch for this vulnerability for Windows NT 4.0. The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability. Windows NT 4.0 users are strongly encouraged to employ the workaround discussed in the FAQ below, which is to protect the NT 4.0 system with a firewall that blocks Port 135.

    Mitigating factors:

    * To exploit this vulnerability, the attacker would require the ability to connect to the Endpoint Mapper running on the target machine. For intranet environments, the Endpoint Mapper would normally be accessible, but for Internet connected machines, the port used by the Endpoint Mapper would normally be blocked by a firewall. In the case where this port is not blocked, or in an intranet configuration, the attacker would not require any additional privileges.
    * Best practices recommend blocking all TCP/IP ports that are not actually being used. For this reason, most machines attached to the Internet should have port 135 blocked. RPC over TCP is not intended to be used in hostile environments such as the internet. More robust protocols such as RPC over HTTP are provided for hostile environments. To learn more about securing RPC for client and server please refer to To learn more about the ports used by RPC, please refer to
    * This vulnerability only permits a denial of service attack and does not provide an attacker with the ability to modify or retrieve data on the remote machine.

    * Block Port 135 at your firewall. Port 135 is used to initiate an RPC connection with the RPC Endpoint Mapper service. Blocking Port 135 at the firewall will prevent systems behind that firewall from being attacked by attempts to exploit this vulnerability. However to ensure that those systems cannot be attacked by systems behind the firewall, you should still consider applying the patch.
    * Internet Connection Firewall. If you are using the Internet Connection Firewall in Windows XP to protect your Internet connection, it will by default block inbound RPC traffic.
    Windows 2000 Patch

    Windows XP 32-bit Edition Patch

    Windows XP 64-bit Edition Patch

  2. #2
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    This may be an issue for companies or individuals running NT4 who don't have their firewalls properly configured.

    Microsoft says that they CAN'T patch NT4 because it relies on RPC too much. So, NT4 machines will continue to be vulnerable. To mitigate the threat administrators should double-check their firewalls to make sure that port 135 is blocked from the outside world.

  3. #3
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Beverwijk Netherlands
    If they can't fix NT4 they should give free 2000 and new puters to the users with trouble..

    but that's just MHO..

    RPC should be disabled on as much boxes you can (yeah nix boxes too)

    on a nix / linux box go to /etc/inetd.conf

    end disable (#) the RPC based stuff (unless you realy need it) !!
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  4. #4
    Senior Member Ouroboros's Avatar
    Join Date
    Nov 2001
    Superior, WI USA
    "CAN'T patch NT4 because it relies on RPC too much"

    That makes me nervous...

    "entia non sunt multiplicanda praeter necessitatem"

    "entities should not be multiplied beyond necessity."

    -Occam's Razor

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts