Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Vulnerability: RPC Service DoS (port 135/tcp) on Windows 2000 SP3

Vulnerability: RPC Service DoS (port 135/tcp) on Windows 2000 SP3

by Nikola Strahija on October 18th, 2002 Because the default SPIKE 2.7 run has been able to discover this vulnerability, and various people have contacted me regarding it, I offer this analysis of it to the general public. Previously, only Immunity Vulnerability Disclosure Club members were specifically informed of this vulnerability, in accordance with Immunity, Inc. policy regarding information disclosure. More information about this policy can be found at http://www.immunitysec.com/vulnshare.html


Impact:

Remote Windows 2000 machines with port TCP 135 open to the Internet
can be disabled without authentication of any kind. Other versions
of Windows may also be vulnerable.

Vulnerability:

The vulnerability itself is within the DCE-RPC stack of Windows 2000
and related OS's. This vulnerability allows anyone who can connect to
port 135 TCP to disable the RPC service. Disabling the RPC service
causes the machine to stop responding to new RPC requests, disabling
almost all functionality.

This is a Denial Of Service via a null pointer dereference, and not
exploitable to gain permissions on the remote machine. A proof of
concept is available at http://www.immunitysec.com/vulnerabilities/

This proof of concept Linux executable is derived from SPIKE 2.7
source code. Simply running SPIKE 2.7's msrpcfuzz is also known to
replicate this problem.

Alleviation:

Block port tcp/135 from network connections. There are also
configuration changes that can make you immune to this attack, but
these are not completely known at this time.


--
Dave Aitel
Immunity, Inc


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »