Microsoft Security Bulletin MS01-048

Technical description:

The RPC endpoint mapper allows RPC clients to determine the port number currently assigned to a particular RPC service. The Windows NT 4.0 endpoint mapper contains a flaw that causes it to fail upon receipt of a request that contains a particular type of malformed data.

Because the endpoint mapper runs within the RPC service itself, exploiting this vulnerability would cause the RPC service itself to fail, with the attendant loss of any RPC-based services the server offers, as well as potential loss of some COM functions. Normal service could be restored by rebooting the server.

Mitigating factors: 

Vulnerability identifier: CAN-2001-0662 

Tested Versions:

Microsoft tested Windows NT 4.0, Windows 2000, and Windows XP to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

What's the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who successfully exploited it would be able to prevent an affected server from providing useful service to users in some cases. If a firewall the follows normal practices is in place, the chief threat posed by this vulnerability would be from internal attacks. Normal service could be restored by rebooting the system.

What causes the vulnerability? 
The vulnerability results because the Windows NT 4.0 RPC service will fail if the endpoint mapper is sent a request that contains a particular type of malformed data.

What is RPC? 
RPC (Remote Procedure Call) is a technology that's used extensively to support distributed applications -- that is, applications whose various components are located on different computers. The primary purpose of RPC is to provide a way for the components to communicate with each other. This allows the components to levy requests on each other and communicate the results of these requests.

What's the RPC endpoint mapper? 
Every RPC service that uses IP based protocol uses a TCP or UDP port to communicate with its clients. However, in most cases, ports are assigned to RPC services dynamically. As a result, an RPC service that's available on two different machines may use a different port on each. Likewise, an RPC service on a single machine may use a different port every time the machine is rebooted. There has to be a way for clients to find the right port for a particular RPC service on a particular machine.
This is what the RPC endpoint mapper service does. Before starting a session with an RPC service, a client first consults the endpoint mapper service on the server to determine the port over which the service currently operates. It then begins communicating directly with the service.

What's wrong with the RPC endpoint mapper? 
If a query to the Windows NT 4.0 RPC endpoint mapper service contains a particular type of malformed data, the service will fail. Because the endpoint mapper runs as part of the RPC service, this would cause the entire RPC service to fail.

What could an attacker use this vulnerability to do? 
An attacker could use this vulnerability to prevent a server from offering any RPC-based services.

What are some examples of services that might be affected by an attack? 
In general, any service that operates over RPC would be disrupted by such an attack. Products like Exchange and SQL Server offer their primary services via RPC, so such an attack would make them unavailable. On the other hand, IIS only offers management functions via RPC, so it would continue offering web services even after such an attack.

Who could exploit this vulnerability? 
Any user who could send data to port 135 - the port on which the endpoint mapper runs - could potentially exploit the vulnerability.

Could an attacker exploit this vulnerability from the Internet? 
Standard firewalling practices strongly recommend that port 135 be blocked. If this has been done, an Internet-based attacker could not exploit the vulnerability.

If an attacker did exploit the vulnerability, what would be needed to restore normal service? 
The administrator would need to reboot the server.

I have a Windows NT 4.0 workstation. Should I apply the patch? 
Unless you are offering RPC-based services via the workstation (which is rarely the case), you would not need to apply the patch.

I have a Windows NT 4.0 server. Should I apply the patch? 
If you are not offering any RPC-base services via the server, you do not need the patch. However, if your server does offer RPC-based services, you should apply the patch.

Is Windows 2000 affected by the vulnerability? 
No. Customers using Windows 2000 do not need to take any action.

Is Windows XP affected by the vulnerability? 
No. Customers using Windows XP do not need to take any action.

What does the patch do? 
The patch eliminates the vulnerability by causing the Windows NT 4.0 endpoint mapper to reject requests containing the malformation at issue here.

Download locations for this patch

Installation platforms:

This patch can be installed on systems running Windows NT 4.0 Service Pack 6a.

Inclusion in future service packs:

No future service packs are planned for Windows NT 4.0.

Reboot needed: Yes

Superseded patches: None.

Verifying patch installation: 

•	To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q305399.
•	To verify the individual files, consult the file manifest in Knowledge Base article Q305399.

Caveats:

None

Localization:

Localized versions of this patch are available at the locations discussed in "Obtaining other security patches".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

•	Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
•	Patches for consumer platforms are available from the WindowsUpdate web site.

Top of section