Published:
23 January 1997
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-97.017 -- SAIC REACT Advisory on RPC
24 January 1997
===========================================================================
SAIC REACT has released the following advisory concerning a vulnerability
in RPC under Windows NT Version 4.0. This vulnerabilty may allow a Denial
of Service attack on any Windows NT 4.0 RPC Server.
If you believe that your system has been compromised or under attack,
contact AUSCERT or your representative in FIRST (Forum of Incident Response
and Security Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
- --------------------------BEGIN INCLUDED TEXT--------------------
///////////////////////////////////\\\\\\\\\\\\\\\\\
_______ ______ _______ _______
/ / / /
/ / / /
/______ / /____ /____
/ / /
/ / /
/ /______ / \_______
SAIC
Rapid Emergency Action Crisis Team
SECURITY ADVISORY
97-01-13
///////////////////////////////////\\\\\\\\\\\\\\\\\
Public Version release, 24 January 1997, 3:00 PM EST (GMT -5)
SUBJECT: Windows NT Version 4.0 RPC Problem.
SUMMARY: The RPC problem allows a remote user to cause any NT 4.0
system to experience 100% CPU utilization until the system is rebooted.
The resulting unavailability of the CPU creates a significant potential
for denial of service attacks. The exploit information for this problem
has been widely discussed on the Internet.
BACKGROUND: The denial of service can occur on a Windows NT 4.0 system
running an RPC server application. The problem is created when an RPC
client gracefully disconnects from the server without supplying the
server all the data it expects. CPU usage jumps to, and remains at 100%
until the NT system is rebooted. If an RPC Server application using a
Sockets based transport (TCP or SPX) has a client randomly initiate a
graceful disconnect, the RPCSS.EXE (Server Side RPC) can be left in a
tight loop making recv() calls for more data. The recv() call returns 0
bytes and is not treated as an error, which causes the CPU exhaustion.
If the disconnection is not graceful (such as from a crash,) an error
will result and the code path that causes the problem is not executed.
IMPACT: Remote connections to Windows NT 4.0 RPC Server can cause 100%
CPU usage and denial of service until the system is rebooted.
RECOMMENDATIONS AND COUNTERMEASURES: Microsoft has confirmed this to be
a problem in Windows NT Version 4.0 and issued the following statement:
A supported fix is now available, but has not been fully regression-
tested and should be applied only to systems experiencing this specific
problem. Unless you are severely impacted by this specific problem,
Microsoft recommends that you wait for the next service pack that
contains this fix.
Microsoft Technical Support can be contacted for more information.
The fix (a new version of RPCLTSCM.DLL) has been posted to the following
Internet location:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/
hotfixes-postSP2/RPC-fix
It is extremely important to note that this fix has NOT been tested and
could have adverse effects on operational systems. REACT recommends only
applying the hotfix to systems that are on externally connected segments
(i.e. DMZs and air gapped systems), and waiting for the next service
pack for fixing internal systems. In addition, sites with monitoring
capability for internal networks should specifically monitor for
internal telnet connections on TCP port 135. Connections to port 135 are
an indication that someone is attempting to exploit this problem.
///////////////////////////////////\\\\\\\\\\\\\\\\\
REACT provides security incident response and other information security
services for customers concerned about protecting information assets.
REACT provides general information security advisories about threats to
information systems, as well as more detailed advisories concerning
threats to particular industries, companies, platforms, or services.
Information contained in both the general ("public") advisories and
specific ("customer") advisories is collected from both public sources
and SAIC proprietary sources. The information contained in these
advisories is intended to assist SAIC customers in responding to
information security threats. Specific "customer" advisories are
distributed in encrypted form to previously designated representatives
of SAIC customers. Anyone interested in obtaining additional
information about REACT services and capabilities can use the following:
Voice Phone Number - 1-888-REACT-1-2
E-mail - react@cip.saic.com
FAX 703-734-2234
REACT uses a commercial, licensed PGP based package as the digital
signature mechanism for its bulletins. A non-commercial version, PGP
2.6.2, is available via anonymous FTP from net-dist.mit.edu.
Instructions for downloading PGP 2.6.2 can be found in the
/pub/PGP/README file, non-commercial license information is in the
/pub/PGP/rsalicen.txt file. The REACT public key is included at the end
of this message.
REACT is a member of the Forum of Incident Response and Security Teams
(FIRST), an international coalition of incident response teams from
government, commercial, and academic organizations. The mission of
FIRST is to foster cooperation and coordination in incident prevention,
response, and information sharing within the security community. For
more information on FIRST, review the organization web page at
www.first.org.
SAIC REACT advisories are the property of SAIC REACT. Public version
advisories may be freely distributed with attribution. Customer
versions may not be copied or distributed without the prior
authorization of REACT. Neither REACT nor any of its employees or
agents make any warranty, express or implied, or assumes any legal
liability or responsibility for the accuracy, completeness, or
usefulness of any information, product or process disclosed, or
represents that its use would not infringe privately owned rights. It
is expressly understood that the publication or distribution of REACT
advisories may reveal information security vulnerabilities, and that
these vulnerabilities may be exploited once they become known. REACT
accepts no liability or responsibility for the failure of any individual
to promptly correct any vulnerabilities revealed by REACT advisories,
and the disclaims any liability in the event a vulnerability is not
reported by REACT. REACT endorses no particular product or service, and
does not warrant the effectiveness or appropriateness of any particular
product or service. The views and opinions of the authors expressed
herein shall not be used for advertising or product endorsement
purposes.
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.7.1
mQCNAzGIz8kAAAEEALR/jxmUlMqe2St9dyAASfIztTYzuOEIn14yNGymfvOk5ySg
oTihjXIKEM9j2v1ZACUEX+6nZm1xintzfoEGqdXCXZ+z+PEtdt+Dvs6VkyKqi4dm
EI2jroj46KtSuFwCyzLbbQrLYGJftyRcax0mxgqM9LyApf2bnYjRuRdujz1VAAUR
tBpSRUFDVCA8cmVhY3RAY2lwLnNhaWMuY29tPrQZU0VSQyA8c2VyY0BzZXJjLnNh
aWMuY29tPokAlQMFEDIwhms+Rlci/vSn7QEBKiYD/A0TyAIyaWJbC9b8q+0F5JXX
EL/tAGopZfxk5ET/SgSF88r1e98xXZbQ09ia2GPYQiNZ3mXaPm+1GORBBwWVaP/c
zOr0UPlS1ewtYPlBQeSKLYdf2nD/f8NARKznzuTw1k4W/QSCZwiKxrkLKsGNQzfu
7s4ZzvBmqzy7bPyQiJ5PiQCVAwUQMhJF9vjMVXXPqHIBAQErqgP/fTjc+xpb+K1v
Gb7R7MjxFYnbBcF6O+BtVziNMp5e8Ib7G7Oed4cO5IF9rDU+C8wWAyYK9wsnAli0
mbsBqrvugPcYIFWmGxDK7cs+WubGlcTSHJkOqF31dddCz0jmJzcuPFLZioXnHzD+
eK2RHarFXRskdz4+81AV+SA4ok003nWJAJUDBRAyLrdwlX7nEfZTkoUBASEtBADa
gHCioEf2t/yMolWYRrl2oEj/R/0foQrmJukPCx3PStl1VaFPf+/TdQEhGe2hPb/w
Sf66nglBY60gfser9TF2JMc9/cIS77gawOhwacO8xmeQ0s9lImsDMKstSHq1LCgv
lG7XQbvdp/tPsBF7cSu1+7oSQA85Czxynv2uoiCVM4kAlQMFEDItg1B9NViHf4K+
cQEBW8gD/A/xvxtm799pNegmBY/u9L3KHs87trZXG5+ZHkqrey4aCAD9MdxPY6i5
0tqWN8ShvEXwi346iojg12I8faCSC3sRe3yx0c3WZXtPqrTLt6/r42xfJVc/9ajJ
AC2VVBPK+3/B6GHj5SHZ8+vDVickhqRE5dvZl1hRGAwlJBUwbrG2iQCVAwUQMi15
rJKzImqgWFMFAQFXiQQAtehZPDVEaa45l8G/H33lZlijMGxV5j0UFoypa5k5UCkK
S+ND9WpW1f35zv+UIdZx8+LtdB/80GgeVGjqAECHdoagGPez2C19KmplpOLTsW4/
kLeQrXhV3Lcl2FP1WjvxzIhX6HaDOtNfIiB+auwD792YbdVfqwFON7OlsTeHoemJ
AJUDBRAyLXKMhERA8f8j/m0BAbqaBACLK+qOTZBHLr910Fs9jZqtHw8y7muHDWoe
Tn7yygyAgLNPTNWUYFlEtxuuTZIMk4V2CY2/me+V+k/Zm2IozB3dk8YriQTsyMLV
Xf/siWbqptQ4B09MgZhMPMQZtNDkq5NRSAOPTQYOToDak2wa4zyJy4jIAF+0Me6w
iMP7AgIImokAlQMFEDIr3gXJTxEZL41QOQEBObIEAL2flT7dkFd4U6Q3JXEoUjl0
5PwSm2emR2vg1patH+Jnr+4yiX5onvKPGBqg7hq3hilDmIsL4yABZ64kIf2+O88M
VPIHJejnE4nRQYLpCJlL+nQRogndwI88Th8w3mMMpoYbs36pkeUsYnl+jjLuOFii
WWpogPDWihvR4FmpDmcPiQCVAwUQMif4mHZITSRnpffhAQFErwP/bNickRg+Q9Oi
aPWJc1lwIwXr94OW+sznHNkdOWoCKBqHTegwQJowuH+8H3lKpBx653K8GI3B/n37
LfDHSPX5wgama9WWsO//DsEf2JXkpyg5Hf4GZWPnKxfxAU/3lzfPUMLzPEeIdo1e
BiJ2zz7MQAeDyi5Ry/bLZPNCs8uLgA+JAJUDBRAyJqmuhA79OiDnbl0BAei5BACM
3ueoYzdEJh8pkAlkrAqXbexzEmhfqHPDL+H11Dp8/l36YLG29Edc0ZqnWwzMs4Ix
DoJvYSRcktjldfztZuGh1JDio+w9nxEs5kOUMh+Ut82gVuMJLHwJhPO55W5ikq46
APK5s+W/B+WG9MTjwC+Bx+oF5TZxVMNiAGrJMR92MokAlQMFEDIZhZ0IlZZwYibb
uQEBcI4EAN5kIZXKsTolEzsIIU8utgf8/bOhQvWuSLKB1BsLJISNahRLr4B4mPph
cVJY0evu3wnZLkdI+l+JEJQfEm0D7sonw25FUGlh+cwgGLE0zkz6XjjmGAV6noAs
qANUJi0/wwhO4+ix4czuKXYvM2glmMYiBuCzZD4TYCfb0aVdmZODiQCVAwUQMhiP
6utxothpQbslAQE4hwP9FwCpWhB5ATUO7wVV4RjqRuOxXKVckWDAlqqN3vx/QNAa
OjIzRY7GSH7TxJdYeZRv3ATFaMi0s7xrPYGkmupCjGHiwISJULKmKxx4lxztr3S1
8c+QltkY6ZHC6wEQKHanLpHt726w2natu8AzAmPVzw8scLhfRkTWXqKv96Bfs5iJ
AFUDBRAyEy4lMYsWxuuNrM0BAc37Af0TALu5huj68IKOZl/h0DL4lYy8pTlai8l2
0WAhbXsiyrdJ/XIDz1O6/+dQ3PL22/DJnSOrsgXAM+qp/cQ28n5oiQB1AwUQMiW/
frFYKyiEN5kNAQGADgMAkKLDneZ1XSrA6ZqknkSiY8AN1xE+wliXOYCooxLYwcyi
cE1hlIFY+GsEey4/OF9XoCctz3X/gmbf1fJCya7CB7n1ql+00KbcAK1SRjV2sZee
djARTAMP7Nmy0teGnePqiQCVAwUQMiQ1DEXuiVfjNP5hAQGHtgQAnWe9JsJ49ArE
1YkS2JybNu7iGgLKlJ0Q5E3REtmpHnSNj6LuEWw1JuQdYpYhH7+tOOaMI2jpZ7yQ
ML5f1ZiaFn3M1SMCl/wlOhKcQZc0SH3sslz6WDIHlYOwq0q5zV154a7vyb8ysVyg
cmH8vdLQI0XXb+BdrA1ZmZiupqJUageJAHUDBRAyIYKevVQklbvkl7EBAXlmAwDL
ActvOEzOeoZpvMcceNcXEg1o8AheoH/A+JFFjyX8gSV81Becim5Vm1P9RLJ7Oq0C
6s6hWEKczwDNi6ECZmEhwGrD8dKg+0Hjm3JSdom9R4SSeKG0wyNP6J1yBBOFySCJ
AJUDBRAyEhTD+K8y+54aU6UBAU8IA/9dxt3WEKxBRwdtfpr/ptAjv34KiV5VpDSD
wL7OSEMxP8ny86fwJlgX256bF4l8BZgiUR6fYYGsvWOZet6PotkHsXgNMH7F5buV
16WdHrSaSem673HraE7JRdMQNQsZVf8iilxOW9XEw6FnA3tLFxX12ZyjeJqKmx9G
i1Rvc9ZPjokAlQMFEDIYvCqC2uMEgBWhCQEB94gD/2VyoxZJ29da4WNQ3ZwN4ISb
UP0chtuqGY1J3ZnbHh7I1kpLGgVgKKkPyL8w6DSrx0bhRR6oxaWYycASADfa2Vq4
VMK2HsfVHQQApWlSsqRge2S6oIFeU6DFsFYolz3/8DwkLn7D7ohq6EXvvRIf7G10
xF9ynFC7gmWU0NGfx2BfiQCVAwUQMhm7nDt/x7zOdmsfAQFKhAP/Xqu0HenkpmP3
aTQ7EG6CR5eYmBNcA7via4xsIfCHo8TOzjnzFFN1K83kkevTS1m4jWD5xyYFA1kE
1K+UYSqM5A8ly9uHSichLjFgXUrqHFJJivV+dshoGd4uAErHazO1j/S4MLwpK79m
QnADtCtKYsn5mswTq7/ArYXfUEo9O+qJAJUDBRAyGPqzJ8tZqZz0/uUBAU1wA/4o
Y54uClJubQIz6ey05lx/hi2PH7y1FN7ecgq7ldri0sBPaTr1W8oXwUoNJTlr9brq
Ms9oXDSr++p2iIWzKAUOCOW7mLOf5UMwB5rAZZ0yCzEuapvVHzYbQzCvvDctmfu3
KbMRcw8ffMNhsY/q2FAivGtRapvy/9BV0OdXFW/JxIkAlQMFEDIY+pKOAs27CVkM
/QEBIRgEAJ+Q0cxaQHh0QCLXOHrL/erkGAfXHP0Z7+DUI0JRS3PKlA1yLiOd4DnI
EjpDA8NswxShGqIS5nitOGkFDKRaqwWPHCnex3V+tLHo5xULwVJ42u/wJu2Ya45L
KC/c0xcpLGaM/z7kKZF6D3e7pxuPRQju3G8wkBnwg8jSGBdMSwaliQCVAwUQMhQ/
7eglSuMPTJd1AQHySQQAokF0RpTS2/iYW8kWbh0Zs/F0rij4vBiOXK+GvO2Py4in
2XLM40jxZPd2IWE8Roo6ChsL5dncIhHlXf8WBjQXYpMSq1sGWqr6PBgDgVakvcUM
RvrKKy5+Mwpr+gI6O+4RgRZ+i96a30mdZKxKb40cecxNMpBj7riWMzCtz5ysGYmJ
AJUDBRAyExz8KG4sKaQ69XUBAQsaBADJVzW/BO09WtAj6nw/8W4yUKfT6Yc3KcS7
8frKNHll187bTp9HWNnCutxyuUijNtWRovYGX2UG1jyq121VOyTzZwlGSNsC0wy/
sUnUCc62692KNK5o42PKB7mEzf7pr8hqdBa55tJaAg2hEX2fdB/4El9ANkZ3FDPj
zbnS2ibwQokAlQMFEDIUNOrABXqtD54luQEBg48D/jyxQiy5A+ADifro+FafPgNb
qRK/sF6QrM0imjnR1OlTpAuDU9z+zcCtr3ntJvaEEtPt8bs+NVuZNjjz6TQfTjEM
h7kEtGzf3qRkAN1THbhU3KoZqq+c+dzAb5CmKjIXyF0TQtj+2gBvJwgPrbSoDkaK
NutazwkQkGTvYqkTRCdmiQCVAwUQMhOlg0A9vVUYMjNJAQHarQQAlDycOkYKfpfm
VN/oDyestaRE+gi1yvI64c0w1HUpvpR0Z5VkPSKoJ90c0lJ2P2brhx+Cg5xxPjCm
KCLSuELpAIs1sb5trRjsr7OL1UaUIsVj7BEOCvlImZxgBmyHMo+bZ5C3VfQSdocy
8w6w2Lkj3oIScOui6i9139L7HPRE2gSJAJUDBRAyExss9YMsal+PiuUBAZ/zA/9Y
6p9lTqNOJH08jxm4Xuue/Yx4r7SS+FMmnfa/uq61jRiii0UmMamI32S/h0iSOFDP
jhFcX4EChpIVjrLY39OZS0IuinRUv0Z0mSlllgqrobepk+srZWntFSUQ0z3lJ/c8
fppWExG42NRG2My0sMnGRAOiZX7dj164QAZqYgmqE4kAlQMFEDISN+YEJn15jgpJ
0QEB6HED/07VaCpD8YyR/xmrU2+Bo4Hca9yCIxpLoahJm9TTJLqqQ4z2XtxxrKB0
HQSb4qOrgRpOu3t5PoJilhLgOLm2FXT2tBq+CvLCDornVDWMIjrbEnHnyGuLVfE/
ojBQxTFvrIzVboThNiYGlGp0wJB4rcK43l+5V+xHUGcnC1BW9hR0iQCVAwUQMYjM
v4dGPdIwvm+pAQEFawP8CiCi51lsbBwtceXvvVIvDadB/l9j1Tv/eHLsy/yK8ZEW
3tOp1n0Z/lwIYGy1voS137GS1XswdmDiar+Ay20QESZdBJpXIK/NoPuEtaySOa+r
DL1F7pZizkqnPU6rwFbkq0OJX+buVgCg34pT4XihgYUTNUVMJh59uV34OaV+DZ6J
AJUDBRAxiNhrHAiCW4XPxkEBAd5rA/9nWLXECoi0Qrkh6hDnGFRD5LMvA0GNTniD
1ZLW98SOpmHLFkkTSyxc5IYhSCvB0uYuOq/DpHnlLM/SHDsb5l861roYvTYqn4pG
lRyko1hc0BLxSy8tQU/W99+OQE4I9MmGhf9T9nW0QidpEXkGXMOzd2Gf1oPJ2fy+
4+qxGtJN04kAlQMFEDGI0fSI0bkXbo89VQEBU+QD/Rfo7MkbWYeI82cBzizF5Dy7
5Wq6YZjiG04fSvTVveY1swCkTtgZZsFsLzsBvxEvFQ3cHg/80r5knpqRjl+iOBF5
m/Dpu3wmu7rIDsmGISLyABtx9k0ik9I/Lh9/rBbWXTJxobaE7x40wBs8t7L2UVKi
EYMgSURYPdEaFOgbFt04
=mi5C
- -----END PGP PUBLIC KEY BLOCK-----
- --------------------------END INCLUDED TEXT--------------------
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPMV4dih9+71yA2DNAQFJzAQAk/CgHTGnEl6guP42XDMDTe+N4Lb0eChR
HwAL8Ygr75O67QkVfygwQ6HwK0xm7lTzXVn2eF3AO+lulcz/9XTO2JSQkOyQ25oq
xnXHRaW2zmWWtCGbKRZ3e97gUHvz1Tmbab1/96McwLr7+qTWlkH9YLPGRl+Izrsz
V3PY60pm0K8=
=reXk
-----END PGP SIGNATURE-----