DATE: COMMAND SOURCE: AUTHOR: rpcss.exe SYSTEMS AFFECTED Win NT 3.51, 4.0 PROBLEM On an NT4 server or workstation if you telnet to port 135, type a bunch of junk (say 10-20 characters), hit enter and disconnect, the server's processor utilization will go up to 100%!!! If You try with and without SP2.....same result. The installation is 'out of the box' with standard default install options, of course including TCP/IP. For it to work you must have the 'RPC Configuration' service installed. This is the default. Port 135 is defined in RFC1060 as: 135 LOC-SRV Location Service [JXP] You must connect to port 135 using TCP, send some random characters, and disconnect. You MUST send a series of characters. If you just connect and disconnect from the port it wont work. Aleph One's testing shows that in some instances the CPU usage will rise but come back down in a few seconds. If your CPU usage did not stay at 100% try again with a different string. After you disconnect the rpcss.exe process will start consumming all available process cycles. NT does not allow you to kill rpcsss.exe even under normal operation. You must reboot the machine to get rid of it. You will still be able to launch other application (the NT schedualer will give them CPU time), but they will run very slowly and the CPU will stay at 100% utilization. The performance monitor shows that rougly rpcss.exe spends 20% of the time in user mode, and 80% of the time in system mode. The connection appears to be stuck in the CLOSE_WAIT state and will finally terminate after about 25 minutes. Credit for this goes to Luck, Aleph One, Tony Weasler, Michael Nelson and David LeBlanc. You cannot kill the rpcss process from the GUI, however you can use the kill.exe program from the NT resource to stop it. You may restart it using the GUI if you like. Any services that were bound to portmapper will have to be restarted as well. Or, you can simply reboot instead. EXPLOIT SOLUTION Hotfix can be found at: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP2/RPC-fix Under NT 4.0, you can protect against this by going into Control Panel, Networks, Protocols, TCP/IP Properties, Advanced, Enable Security, Configure. Then set it to only permit connections from ports 137 and 139 (plus whatever else you need, like FTP). If you are not hosting RPC applications that need to be available via TCP or UDP, you can temporarily fix this problem by changing the following named values in the registry. . . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\ServerProtocols: ncacn_ip_tcp HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\ServerProtocols: ncadg_ip_udp The named values currently change it to something like "rpcltscm.dll-xxx" so that it is easy to restore if you need to. This will disable incoming RPC requests over TCP/IP and UDP/IP (but not over SMB). As usual, reboot your machine for these changes to take effect.