Published:
23 January 1997
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-97.017 -- SAIC REACT Advisory on RPC 24 January 1997 =========================================================================== SAIC REACT has released the following advisory concerning a vulnerability in RPC under Windows NT Version 4.0. This vulnerabilty may allow a Denial of Service attack on any Windows NT 4.0 RPC Server. If you believe that your system has been compromised or under attack, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 4477 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. - --------------------------BEGIN INCLUDED TEXT-------------------- ///////////////////////////////////\\\\\\\\\\\\\\\\\ _______ ______ _______ _______ / / / / / / / / /______ / /____ /____ / / / / / / / /______ / \_______ SAIC Rapid Emergency Action Crisis Team SECURITY ADVISORY 97-01-13 ///////////////////////////////////\\\\\\\\\\\\\\\\\ Public Version release, 24 January 1997, 3:00 PM EST (GMT -5) SUBJECT: Windows NT Version 4.0 RPC Problem. SUMMARY: The RPC problem allows a remote user to cause any NT 4.0 system to experience 100% CPU utilization until the system is rebooted. The resulting unavailability of the CPU creates a significant potential for denial of service attacks. The exploit information for this problem has been widely discussed on the Internet. BACKGROUND: The denial of service can occur on a Windows NT 4.0 system running an RPC server application. The problem is created when an RPC client gracefully disconnects from the server without supplying the server all the data it expects. CPU usage jumps to, and remains at 100% until the NT system is rebooted. If an RPC Server application using a Sockets based transport (TCP or SPX) has a client randomly initiate a graceful disconnect, the RPCSS.EXE (Server Side RPC) can be left in a tight loop making recv() calls for more data. The recv() call returns 0 bytes and is not treated as an error, which causes the CPU exhaustion. If the disconnection is not graceful (such as from a crash,) an error will result and the code path that causes the problem is not executed. IMPACT: Remote connections to Windows NT 4.0 RPC Server can cause 100% CPU usage and denial of service until the system is rebooted. RECOMMENDATIONS AND COUNTERMEASURES: Microsoft has confirmed this to be a problem in Windows NT Version 4.0 and issued the following statement: A supported fix is now available, but has not been fully regression- tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next service pack that contains this fix. Microsoft Technical Support can be contacted for more information. The fix (a new version of RPCLTSCM.DLL) has been posted to the following Internet location: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/ hotfixes-postSP2/RPC-fix It is extremely important to note that this fix has NOT been tested and could have adverse effects on operational systems. REACT recommends only applying the hotfix to systems that are on externally connected segments (i.e. DMZs and air gapped systems), and waiting for the next service pack for fixing internal systems. In addition, sites with monitoring capability for internal networks should specifically monitor for internal telnet connections on TCP port 135. Connections to port 135 are an indication that someone is attempting to exploit this problem. ///////////////////////////////////\\\\\\\\\\\\\\\\\ REACT provides security incident response and other information security services for customers concerned about protecting information assets. REACT provides general information security advisories about threats to information systems, as well as more detailed advisories concerning threats to particular industries, companies, platforms, or services. Information contained in both the general ("public") advisories and specific ("customer") advisories is collected from both public sources and SAIC proprietary sources. The information contained in these advisories is intended to assist SAIC customers in responding to information security threats. Specific "customer" advisories are distributed in encrypted form to previously designated representatives of SAIC customers. Anyone interested in obtaining additional information about REACT services and capabilities can use the following: Voice Phone Number - 1-888-REACT-1-2 E-mail - react@cip.saic.com FAX 703-734-2234 REACT uses a commercial, licensed PGP based package as the digital signature mechanism for its bulletins. A non-commercial version, PGP 2.6.2, is available via anonymous FTP from net-dist.mit.edu. Instructions for downloading PGP 2.6.2 can be found in the /pub/PGP/README file, non-commercial license information is in the /pub/PGP/rsalicen.txt file. The REACT public key is included at the end of this message. REACT is a member of the Forum of Incident Response and Security Teams (FIRST), an international coalition of incident response teams from government, commercial, and academic organizations. The mission of FIRST is to foster cooperation and coordination in incident prevention, response, and information sharing within the security community. For more information on FIRST, review the organization web page at www.first.org. SAIC REACT advisories are the property of SAIC REACT. Public version advisories may be freely distributed with attribution. Customer versions may not be copied or distributed without the prior authorization of REACT. Neither REACT nor any of its employees or agents make any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed, or represents that its use would not infringe privately owned rights. It is expressly understood that the publication or distribution of REACT advisories may reveal information security vulnerabilities, and that these vulnerabilities may be exploited once they become known. REACT accepts no liability or responsibility for the failure of any individual to promptly correct any vulnerabilities revealed by REACT advisories, and the disclaims any liability in the event a vulnerability is not reported by REACT. REACT endorses no particular product or service, and does not warrant the effectiveness or appropriateness of any particular product or service. The views and opinions of the authors expressed herein shall not be used for advertising or product endorsement purposes. - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.7.1 mQCNAzGIz8kAAAEEALR/jxmUlMqe2St9dyAASfIztTYzuOEIn14yNGymfvOk5ySg oTihjXIKEM9j2v1ZACUEX+6nZm1xintzfoEGqdXCXZ+z+PEtdt+Dvs6VkyKqi4dm EI2jroj46KtSuFwCyzLbbQrLYGJftyRcax0mxgqM9LyApf2bnYjRuRdujz1VAAUR tBpSRUFDVCA8cmVhY3RAY2lwLnNhaWMuY29tPrQZU0VSQyA8c2VyY0BzZXJjLnNh aWMuY29tPokAlQMFEDIwhms+Rlci/vSn7QEBKiYD/A0TyAIyaWJbC9b8q+0F5JXX EL/tAGopZfxk5ET/SgSF88r1e98xXZbQ09ia2GPYQiNZ3mXaPm+1GORBBwWVaP/c zOr0UPlS1ewtYPlBQeSKLYdf2nD/f8NARKznzuTw1k4W/QSCZwiKxrkLKsGNQzfu 7s4ZzvBmqzy7bPyQiJ5PiQCVAwUQMhJF9vjMVXXPqHIBAQErqgP/fTjc+xpb+K1v Gb7R7MjxFYnbBcF6O+BtVziNMp5e8Ib7G7Oed4cO5IF9rDU+C8wWAyYK9wsnAli0 mbsBqrvugPcYIFWmGxDK7cs+WubGlcTSHJkOqF31dddCz0jmJzcuPFLZioXnHzD+ eK2RHarFXRskdz4+81AV+SA4ok003nWJAJUDBRAyLrdwlX7nEfZTkoUBASEtBADa gHCioEf2t/yMolWYRrl2oEj/R/0foQrmJukPCx3PStl1VaFPf+/TdQEhGe2hPb/w Sf66nglBY60gfser9TF2JMc9/cIS77gawOhwacO8xmeQ0s9lImsDMKstSHq1LCgv lG7XQbvdp/tPsBF7cSu1+7oSQA85Czxynv2uoiCVM4kAlQMFEDItg1B9NViHf4K+ cQEBW8gD/A/xvxtm799pNegmBY/u9L3KHs87trZXG5+ZHkqrey4aCAD9MdxPY6i5 0tqWN8ShvEXwi346iojg12I8faCSC3sRe3yx0c3WZXtPqrTLt6/r42xfJVc/9ajJ AC2VVBPK+3/B6GHj5SHZ8+vDVickhqRE5dvZl1hRGAwlJBUwbrG2iQCVAwUQMi15 rJKzImqgWFMFAQFXiQQAtehZPDVEaa45l8G/H33lZlijMGxV5j0UFoypa5k5UCkK S+ND9WpW1f35zv+UIdZx8+LtdB/80GgeVGjqAECHdoagGPez2C19KmplpOLTsW4/ kLeQrXhV3Lcl2FP1WjvxzIhX6HaDOtNfIiB+auwD792YbdVfqwFON7OlsTeHoemJ AJUDBRAyLXKMhERA8f8j/m0BAbqaBACLK+qOTZBHLr910Fs9jZqtHw8y7muHDWoe Tn7yygyAgLNPTNWUYFlEtxuuTZIMk4V2CY2/me+V+k/Zm2IozB3dk8YriQTsyMLV Xf/siWbqptQ4B09MgZhMPMQZtNDkq5NRSAOPTQYOToDak2wa4zyJy4jIAF+0Me6w iMP7AgIImokAlQMFEDIr3gXJTxEZL41QOQEBObIEAL2flT7dkFd4U6Q3JXEoUjl0 5PwSm2emR2vg1patH+Jnr+4yiX5onvKPGBqg7hq3hilDmIsL4yABZ64kIf2+O88M VPIHJejnE4nRQYLpCJlL+nQRogndwI88Th8w3mMMpoYbs36pkeUsYnl+jjLuOFii WWpogPDWihvR4FmpDmcPiQCVAwUQMif4mHZITSRnpffhAQFErwP/bNickRg+Q9Oi aPWJc1lwIwXr94OW+sznHNkdOWoCKBqHTegwQJowuH+8H3lKpBx653K8GI3B/n37 LfDHSPX5wgama9WWsO//DsEf2JXkpyg5Hf4GZWPnKxfxAU/3lzfPUMLzPEeIdo1e BiJ2zz7MQAeDyi5Ry/bLZPNCs8uLgA+JAJUDBRAyJqmuhA79OiDnbl0BAei5BACM 3ueoYzdEJh8pkAlkrAqXbexzEmhfqHPDL+H11Dp8/l36YLG29Edc0ZqnWwzMs4Ix DoJvYSRcktjldfztZuGh1JDio+w9nxEs5kOUMh+Ut82gVuMJLHwJhPO55W5ikq46 APK5s+W/B+WG9MTjwC+Bx+oF5TZxVMNiAGrJMR92MokAlQMFEDIZhZ0IlZZwYibb uQEBcI4EAN5kIZXKsTolEzsIIU8utgf8/bOhQvWuSLKB1BsLJISNahRLr4B4mPph cVJY0evu3wnZLkdI+l+JEJQfEm0D7sonw25FUGlh+cwgGLE0zkz6XjjmGAV6noAs qANUJi0/wwhO4+ix4czuKXYvM2glmMYiBuCzZD4TYCfb0aVdmZODiQCVAwUQMhiP 6utxothpQbslAQE4hwP9FwCpWhB5ATUO7wVV4RjqRuOxXKVckWDAlqqN3vx/QNAa OjIzRY7GSH7TxJdYeZRv3ATFaMi0s7xrPYGkmupCjGHiwISJULKmKxx4lxztr3S1 8c+QltkY6ZHC6wEQKHanLpHt726w2natu8AzAmPVzw8scLhfRkTWXqKv96Bfs5iJ AFUDBRAyEy4lMYsWxuuNrM0BAc37Af0TALu5huj68IKOZl/h0DL4lYy8pTlai8l2 0WAhbXsiyrdJ/XIDz1O6/+dQ3PL22/DJnSOrsgXAM+qp/cQ28n5oiQB1AwUQMiW/ frFYKyiEN5kNAQGADgMAkKLDneZ1XSrA6ZqknkSiY8AN1xE+wliXOYCooxLYwcyi cE1hlIFY+GsEey4/OF9XoCctz3X/gmbf1fJCya7CB7n1ql+00KbcAK1SRjV2sZee djARTAMP7Nmy0teGnePqiQCVAwUQMiQ1DEXuiVfjNP5hAQGHtgQAnWe9JsJ49ArE 1YkS2JybNu7iGgLKlJ0Q5E3REtmpHnSNj6LuEWw1JuQdYpYhH7+tOOaMI2jpZ7yQ ML5f1ZiaFn3M1SMCl/wlOhKcQZc0SH3sslz6WDIHlYOwq0q5zV154a7vyb8ysVyg cmH8vdLQI0XXb+BdrA1ZmZiupqJUageJAHUDBRAyIYKevVQklbvkl7EBAXlmAwDL ActvOEzOeoZpvMcceNcXEg1o8AheoH/A+JFFjyX8gSV81Becim5Vm1P9RLJ7Oq0C 6s6hWEKczwDNi6ECZmEhwGrD8dKg+0Hjm3JSdom9R4SSeKG0wyNP6J1yBBOFySCJ AJUDBRAyEhTD+K8y+54aU6UBAU8IA/9dxt3WEKxBRwdtfpr/ptAjv34KiV5VpDSD wL7OSEMxP8ny86fwJlgX256bF4l8BZgiUR6fYYGsvWOZet6PotkHsXgNMH7F5buV 16WdHrSaSem673HraE7JRdMQNQsZVf8iilxOW9XEw6FnA3tLFxX12ZyjeJqKmx9G i1Rvc9ZPjokAlQMFEDIYvCqC2uMEgBWhCQEB94gD/2VyoxZJ29da4WNQ3ZwN4ISb UP0chtuqGY1J3ZnbHh7I1kpLGgVgKKkPyL8w6DSrx0bhRR6oxaWYycASADfa2Vq4 VMK2HsfVHQQApWlSsqRge2S6oIFeU6DFsFYolz3/8DwkLn7D7ohq6EXvvRIf7G10 xF9ynFC7gmWU0NGfx2BfiQCVAwUQMhm7nDt/x7zOdmsfAQFKhAP/Xqu0HenkpmP3 aTQ7EG6CR5eYmBNcA7via4xsIfCHo8TOzjnzFFN1K83kkevTS1m4jWD5xyYFA1kE 1K+UYSqM5A8ly9uHSichLjFgXUrqHFJJivV+dshoGd4uAErHazO1j/S4MLwpK79m QnADtCtKYsn5mswTq7/ArYXfUEo9O+qJAJUDBRAyGPqzJ8tZqZz0/uUBAU1wA/4o Y54uClJubQIz6ey05lx/hi2PH7y1FN7ecgq7ldri0sBPaTr1W8oXwUoNJTlr9brq Ms9oXDSr++p2iIWzKAUOCOW7mLOf5UMwB5rAZZ0yCzEuapvVHzYbQzCvvDctmfu3 KbMRcw8ffMNhsY/q2FAivGtRapvy/9BV0OdXFW/JxIkAlQMFEDIY+pKOAs27CVkM /QEBIRgEAJ+Q0cxaQHh0QCLXOHrL/erkGAfXHP0Z7+DUI0JRS3PKlA1yLiOd4DnI EjpDA8NswxShGqIS5nitOGkFDKRaqwWPHCnex3V+tLHo5xULwVJ42u/wJu2Ya45L KC/c0xcpLGaM/z7kKZF6D3e7pxuPRQju3G8wkBnwg8jSGBdMSwaliQCVAwUQMhQ/ 7eglSuMPTJd1AQHySQQAokF0RpTS2/iYW8kWbh0Zs/F0rij4vBiOXK+GvO2Py4in 2XLM40jxZPd2IWE8Roo6ChsL5dncIhHlXf8WBjQXYpMSq1sGWqr6PBgDgVakvcUM RvrKKy5+Mwpr+gI6O+4RgRZ+i96a30mdZKxKb40cecxNMpBj7riWMzCtz5ysGYmJ AJUDBRAyExz8KG4sKaQ69XUBAQsaBADJVzW/BO09WtAj6nw/8W4yUKfT6Yc3KcS7 8frKNHll187bTp9HWNnCutxyuUijNtWRovYGX2UG1jyq121VOyTzZwlGSNsC0wy/ sUnUCc62692KNK5o42PKB7mEzf7pr8hqdBa55tJaAg2hEX2fdB/4El9ANkZ3FDPj zbnS2ibwQokAlQMFEDIUNOrABXqtD54luQEBg48D/jyxQiy5A+ADifro+FafPgNb qRK/sF6QrM0imjnR1OlTpAuDU9z+zcCtr3ntJvaEEtPt8bs+NVuZNjjz6TQfTjEM h7kEtGzf3qRkAN1THbhU3KoZqq+c+dzAb5CmKjIXyF0TQtj+2gBvJwgPrbSoDkaK NutazwkQkGTvYqkTRCdmiQCVAwUQMhOlg0A9vVUYMjNJAQHarQQAlDycOkYKfpfm VN/oDyestaRE+gi1yvI64c0w1HUpvpR0Z5VkPSKoJ90c0lJ2P2brhx+Cg5xxPjCm KCLSuELpAIs1sb5trRjsr7OL1UaUIsVj7BEOCvlImZxgBmyHMo+bZ5C3VfQSdocy 8w6w2Lkj3oIScOui6i9139L7HPRE2gSJAJUDBRAyExss9YMsal+PiuUBAZ/zA/9Y 6p9lTqNOJH08jxm4Xuue/Yx4r7SS+FMmnfa/uq61jRiii0UmMamI32S/h0iSOFDP jhFcX4EChpIVjrLY39OZS0IuinRUv0Z0mSlllgqrobepk+srZWntFSUQ0z3lJ/c8 fppWExG42NRG2My0sMnGRAOiZX7dj164QAZqYgmqE4kAlQMFEDISN+YEJn15jgpJ 0QEB6HED/07VaCpD8YyR/xmrU2+Bo4Hca9yCIxpLoahJm9TTJLqqQ4z2XtxxrKB0 HQSb4qOrgRpOu3t5PoJilhLgOLm2FXT2tBq+CvLCDornVDWMIjrbEnHnyGuLVfE/ ojBQxTFvrIzVboThNiYGlGp0wJB4rcK43l+5V+xHUGcnC1BW9hR0iQCVAwUQMYjM v4dGPdIwvm+pAQEFawP8CiCi51lsbBwtceXvvVIvDadB/l9j1Tv/eHLsy/yK8ZEW 3tOp1n0Z/lwIYGy1voS137GS1XswdmDiar+Ay20QESZdBJpXIK/NoPuEtaySOa+r DL1F7pZizkqnPU6rwFbkq0OJX+buVgCg34pT4XihgYUTNUVMJh59uV34OaV+DZ6J AJUDBRAxiNhrHAiCW4XPxkEBAd5rA/9nWLXECoi0Qrkh6hDnGFRD5LMvA0GNTniD 1ZLW98SOpmHLFkkTSyxc5IYhSCvB0uYuOq/DpHnlLM/SHDsb5l861roYvTYqn4pG lRyko1hc0BLxSy8tQU/W99+OQE4I9MmGhf9T9nW0QidpEXkGXMOzd2Gf1oPJ2fy+ 4+qxGtJN04kAlQMFEDGI0fSI0bkXbo89VQEBU+QD/Rfo7MkbWYeI82cBzizF5Dy7 5Wq6YZjiG04fSvTVveY1swCkTtgZZsFsLzsBvxEvFQ3cHg/80r5knpqRjl+iOBF5 m/Dpu3wmu7rIDsmGISLyABtx9k0ik9I/Lh9/rBbWXTJxobaE7x40wBs8t7L2UVKi EYMgSURYPdEaFOgbFt04 =mi5C - -----END PGP PUBLIC KEY BLOCK----- - --------------------------END INCLUDED TEXT-------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBPMV4dih9+71yA2DNAQFJzAQAk/CgHTGnEl6guP42XDMDTe+N4Lb0eChR HwAL8Ygr75O67QkVfygwQ6HwK0xm7lTzXVn2eF3AO+lulcz/9XTO2JSQkOyQ25oq xnXHRaW2zmWWtCGbKRZ3e97gUHvz1Tmbab1/96McwLr7+qTWlkH9YLPGRl+Izrsz V3PY60pm0K8= =reXk -----END PGP SIGNATURE-----