Microsoft KB Archive/331953

= MS03-010: Flaw in RPC endpoint mapper could allow Denial of Service attacks =

Article ID: 331953

Article Last Modified on 12/1/2007

-

APPLIES TO


 * Microsoft Windows XP Professional
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Professional x64 Edition
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT Workstation 4.0 Developer Edition

-



This article was previously published under Q331953



SYMPTOMS
There is a vulnerability in the part of the remote procedure call (RPC) functionality that deals with message exchange over TCP/IP. The vulnerability results because of incorrect handling of malformed messages. This particular vulnerability affects the RPC Endpoint Mapper process, which listens on TCP/IP port 135. The RPC Endpoint Mapper service allows RPC clients to determine the port number currently assigned to a particular RPC service.



CAUSE
Microsoft has provided updates to correct this vulnerability for Windows 2000 and Windows XP. Although Windows NT 4.0 is affected by this vulnerability, Microsoft cannot provide an update for this vulnerability for Windows NT 4.0. The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability. Windows NT 4.0 users are strongly encouraged to use the workaround that is discussed in the MS03-10 Security Bulletin. You can use this workaround to help protect the Windows NT 4.0 system with a firewall that blocks Port 135. To view the MS03-10 Security Bulletin, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-010.mspx

Mitigating factors
 To exploit this vulnerability, the attacker would require the ability to connect to the Endpoint Mapper service that is running on the destination computer. For intranet environments, Endpoint Mapper is typically accessible. However, for Internet connected computers, the port that is used by Endpoint Mapper is typically blocked by a firewall. In a scenario where this port is not blocked or in an intranet configuration, the attacker would not require any additional administrative credentials. Best practices recommend blocking all TCP/IP ports that are not actually being used. Therefore, most computers attached to the Internet will have port 135 blocked. RPC over TCP is not intended to be used in hostile environments such as the Internet. More robust protocols such as RPC over HTTP are provided for hostile environments. For more information about how to secure RPC for client and server, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/aa379441.aspx

For more information about the ports used by RPC, visit the following Microsoft Web site:

http://technet2.microsoft.com/WindowsServer/en/library/4dbc4c95-935b-4617-b4f8-20fc947c72881033.mspx?mfr=true

 This vulnerability only permits a denial of service attack and does not provide an attacker with the ability to modify or retrieve data on the remote computer.



Windows XP
To resolve this problem, obtain the latest service pack for Microsoft Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

Windows 2000
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 Service Pack

Download information
The following files are available for download from the Microsoft Download Center:

Windows XP Professional and Windows XP Home Edition

Download the 331953 package now.

Windows XP 64-bit Edition:

Download the 331953 package now.

Windows 2000

All languages except Japanese NEC:

Download the 331953 package now.

Japanese NEC:

Download the 331953 package now.

Release Date: March 25, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites
The Windows 2000 version of this update requires Windows 2000 Service Pack 2 (SP2) or Windows 2000 Service Pack 3 (SP3).

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

Installation information
This update supports the following Setup program switches:
 * /? : Display the list of installation switches.
 * /u : Use Unattended mode.
 * /f : Force other programs to quit when the computer shuts down.
 * /n : Do not back up files for removal.
 * /o : Overwrite OEM files without prompting.
 * /z : Do not restart when installation is complete.
 * /q : Use Quiet mode (no user interaction).
 * /l : List installed hotfixes.
 * /x : Extract the files without running the Setup program.

For example, to install the update without any user intervention, and then not to force the computer to restart, use the following command line:

q331953_wxp_sp2_x86_enu /u /q /z

To verify the update is installed on your computer, confirm that the following registry key exists:

Windows XP:

 

Windows XP with Service Pack 1 (SP1):

 

Windows 2000:

 

Uninstall information
To remove this update, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this update. Spuninst.exe is in the %Windir%\$NTUninstallQ331953$\Spuninst folder. The utility supports the following Setup program switches:
 * /? : Display the list of installation switches.
 * /u : Use unattended mode.
 * /f : Force other programs to quit when the computer shuts down.
 * /z : Do not restart when installation is complete.
 * /q : Use Quiet mode (no user interaction).

Restart requirement
You must restart your computer after you apply this update because this update replaces core system binaries that are loaded during system startup. Your computer is vulnerable until you restart it.

File information
The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows XP with Service Pack 1 (SP1)   Date         Time   Version        Size     File name --  07-Nov-2002  22:47  5.1.2600.1140  505,856  Rpcrt4.dll Windows XP   Date         Time   Version       Size     File name -  08-Nov-2002  02:16  5.1.2600.105  439,296  Rpcrt4.dll Windows 2000   Date         Time   Version        Size     File name --  25-Oct-2002  22:07  5.0.2195.6089  943,376  Ole32.dll 25-Oct-2002 22:07  5.0.2195.6106  429,840  Rpcrt4.dll 25-Oct-2002 22:07  5.0.2195.6089  184,592  Rpcss.dll You can also verify the files that this update installed by reviewing the following registry key:

Windows XP with Service Pack 1 (SP1):

 

Windows XP:

 

Windows 2000:

 



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

Windows XP
This problem was first corrected in Microsoft Windows XP Service Pack 2.

Windows 2000
This problem was first corrected in Microsoft Windows 2000 Service Pack 4.

<div class="moreinformation_section">

MORE INFORMATION
For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-010.mspx

Additional query words: security_patch

Keywords: atdownload kbwinxpsp2fix kberrmsg kbwin2ksp4fix kbsecvulnerability kbsecurity kbsecdos kbsecbulletin kbwinxppresp2fix kbbug kbfix kbwin2000presp4fix KB331953

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.