DATE:  
COMMAND                                            SOURCE: 
                                                   AUTHOR: 
  rpcss.exe

SYSTEMS AFFECTED

  Win NT 3.51, 4.0
  

PROBLEM


    On an NT4  server  or  workstation  if  you  telnet to port  135,
    type  a  bunch  of  junk  (say  10-20  characters),  hit enter and
    disconnect,  the  server's  processor  utilization  will  go up to
    100%!!!   If You  try with  and without  SP2.....same result.  The
    installation is  'out of  the box'  with standard  default install
    options, of course including TCP/IP.

    For  it  to  work  you  must  have the 'RPC Configuration' service
    installed.  This  is the default.  Port 135 is  defined in RFC1060
    as:

        135       LOC-SRV    Location Service                         [JXP]

    You  must  connect  to  port  135  using  TCP,  send  some  random
    characters, and disconnect. You MUST send a series of  characters.
    If you  just connect  and disconnect  from the  port it wont work.
    Aleph One's  testing shows  that in  some instances  the CPU usage
    will rise but come back down in a few seconds.  If your CPU  usage
    did not stay at 100% try again with a different string.

    After you disconnect the  rpcss.exe process will start  consumming
    all  available  process  cycles.  NT  does  not  allow you to kill
    rpcsss.exe  even  under  normal  operation.  You  must  reboot the
    machine to get rid of it.  You will still be able to  launch other
    application (the NT schedualer will give them CPU time), but  they
    will run very  slowly and the  CPU will stay  at 100% utilization.
    The performance monitor shows that rougly rpcss.exe spends 20%  of
    the time in user mode, and 80% of the time in system mode.

    The connection  appears to  be stuck  in the  CLOSE_WAIT state and
    will finally terminate  after about 25  minutes.  Credit  for this
    goes to Luck,  Aleph One, Tony  Weasler, Michael Nelson  and David
    LeBlanc.

    You cannot kill  the rpcss process  from the GUI,  however you can
    use the kill.exe program from the NT resource to stop it. You  may
    restart  it  using  the  GUI  if  you like. Any services that were
    bound to  portmapper will  have to  be restarted  as well. Or, you
    can simply reboot instead.



EXPLOIT

  

SOLUTION


    Hotfix can be found at:

        ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP2/RPC-fix

    Under NT 4.0, you can  protect against this by going  into Control
    Panel, Networks,  Protocols, TCP/IP  Properties, Advanced,  Enable
    Security, Configure.  Then set it to only permit connections  from
    ports 137 and 139 (plus whatever else you need, like FTP).

    If you are not hosting RPC applications that need to be  available
    via TCP or UDP, you  can temporarily fix this problem  by changing
    the following named values in the registry. . .

        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\ServerProtocols: ncacn_ip_tcp
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\ServerProtocols: ncadg_ip_udp

    The named  values currently  change it to
    something like "rpcltscm.dll-xxx"  so that it  is easy to  restore
    if  you  need  to.  This  will  disable incoming RPC requests over
    TCP/IP  and  UDP/IP  (but  not  over  SMB).  As usual, reboot your
    machine for these changes to take effect.