Public exploits available
On this page
A denial of service vulnerability exists in the remote procedure call (RPC) facility due to a failure in communicating with the NTLM security provider when performing authentication of RPC requests. An anonymous attacker could exploit the vulnerability by sending a specially crafted RPC authentication request to a computer over the network.
An attacker who successfully exploited this vulnerability could cause the computer to stop responding and automatically restart.
Technical details (analysis)
To complete any remote procedure call, all distributed applications must create a binding between the client and the server. Microsoft RPC provides multiple levels of authentication. Depending on the authentication level, the origin of the traffic (which security principal sent the traffic) can be verified when the connection is established, when the client starts a new remote procedure call, or during each packet exchange between the client and server. A vulnerability exists in RPCSS when handling an NTLMSSP null session followed by a request of a differing authentication level, which results in an integer underflow that corrupts heap memory and will crash the RPCSS service.
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows Server 2003
Those not on the affected applications list.
Release Date: 2007-10-09T00:00:00
Known false positives
No known false positives at this time.
Block the following at the firewall: UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593. All unsolicited inbound traffic on ports greater than 1024. Any other specifically configured RPC port.
To help protect from network-based attempts to exploit this vulnerability, use a personal firewall, such as Windows Firewall, which is included with Windows XP and with Windows Server 2003.
To help protect from network-based attempts to exploit this vulnerability, enable advanced TCP/IP filtering on systems that support this feature.
To help protect from network-based attempts to exploit this vulnerability, block the affected ports by using IPSec on the affected systems.