Microsoft Remote Procedure Call (RPC) Server Vulnerability

> In article <en#XuhEYDHA.2648@TK2MSFTNGP09.phx.gbl>, king@hotmail.com

> > http://www.ciac.org/ciac/bulletins/l-126.shtml
> >
> > Several people called me, in hysterical panic telling me their computers
> > restarted, I was on LINUX at the moment and rebooted
> > to XP to see how I could help them, to my amazment my computer restarted
> > too!!!
> >
> > this was an ATTACK!!!! so I disabled the RPC services and I am posting

> > for the people who are looking for solutions.
> >
> > What I did was firewalled XP, and disabled one of the RPC services and

> > the other one to not be able to restart the computer.
> > Then I did an XP update from the windows update site.
> >
> > Now my ps has not rebooted... I think this is creating GLOBAL chaos!!!
> >
> > Kenny
> > www.computerboom.net
> > www.talentgrid.com
> >
> >
> >
> >
> > Privacy and Legal Notice
> >
> > INFORMATION BULLETIN
> > L-126: Microsoft Remote Procedure Call (RPC) Server Vulnerability
> > [Microsoft Security Bulletin MS01-041]
> > July 30, 2001 17:00 GMT

>
> --------------------------------------------------------------------------

> >
> > PROBLEM: A malformed RPC request can cause a denial of service.
> > PLATFORM: Those running any of the following products:
> > a.. Microsoft Exchange Server 5.5
> > b.. Microsoft Exchange Server 2000
> > c.. Microsoft SQL Server 7.0
> > d.. Microsoft SQL Server 2000
> > e.. Microsoft Windows NT 4.0
> > f.. Microsoft Windows 2000
> >
> > DAMAGE: The level of damage could range from minor (e.g., the

> > temporarily hanging) to major (e.g., the service failing in a way that

> > require the entire system to be restarted).
> > SOLUTION: Apply the patches and proper firewalling as indicated in

> > bulletin.
> >

>
> --------------------------------------------------------------------------

> >
> > VULNERABILITY
> > ASSESSMENT: The risk is LOW. Proper firewalling would help

> > the possibility of attacks by Internet-based users.
> >

>
> --------------------------------------------------------------------------

> >
> > LINKS:
> > CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/l-126.shtml
> >

>
> --------------------------------------------------------------------------

> >
> >
> > [***** Start Microsoft Security Bulletin MS01-041 *****]
> >
> > - ----------------------------------------------------------------------
> > Title: Malformed RPC Request Can Cause Service Failure
> > Date: 26 July 2001
> > Software: Exchange Server 5.5, Exchange Server 2000,
> > SQL Server 7.0, SQL Server 2000, Windows NT 4.0,
> > Windows 2000
> > Impact: Denial of service
> > Bulletin: MS01-041
> >
> >
> > Microsoft encourages customers to review the Security Bulletin at:
> > http://www.microsoft.com/technet/sec...n/MS01-041.asp
> > - ----------------------------------------------------------------------
> >
> >
> > Issue:
> > ======
> > Several of the RPC servers associated with system services in
> > Microsoft Exchange, SQL Server, Windows NT 4.0 and Windows 2000 do not
> > adequately validate inputs, and in some cases will accept invalid
> > inputs that prevent normal processing. The specific input values at
> > issue here vary from RPC server to RPC server.
> >
> > An attacker who sent such inputs to an affected RPC server could
> > disrupt its service. The precise type of disruption would depend on
> > the specific service, but could range in effect from minor (e.g., the
> > service temporarily hanging) to major (e.g., the service failing in a
> > way that would require the entire system to be restarted).
> >
> >
> > Mitigating Factors:
> > ====================
> > - Proper firewalling would help minimize an affected system's
> > exposure to attack by Internet-based users. In general, a
> > firewall should block access to all RPC services except
> > those that are specifically intended for use by untrusted users.
> >
> >
> > Patch Availability:
> > ===================
> > - A patch is available to fix this vulnerability. Please read the
> > Security Bulletin
> > http://www.microsoft.com/technet/sec...n/ms01-041.asp
> > for information on obtaining this patch.
> >
> >
> > Acknowledgment:
> > ===============
> > - Bindview's Razor Team (http://razor.bindview.com)
> >
> >
> > - ---------------------------------------------------------------------
> >
> >
> > THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
> > "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
> > WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
> > MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
> > SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
> > WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
> > LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT

> > OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
> > DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF

> > FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
> > NOT APPLY.
> >
> > [***** End Microsoft Security Bulletin MS01-041 *****]
> >
> >

>
> --------------------------------------------------------------------------

> > ----
> > CIAC wishes to acknowledge the contributions of Microsoft for the
> > information contained in this bulletin.

>
> --------------------------------------------------------------------------

> > ----
> > CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC

> > be contacted at:
> > Voice: +1 925-422-8193 (7 x 24)
> > FAX: +1 925-423-8002
> > STU-III: +1 925-423-2604
> > E-mail: ciac@ciac.org
> > World Wide Web: http://www.ciac.org/
> > Anonymous FTP: ftp.ciac.org
> >

>
> --------------------------------------------------------------------------

> > ----
> > This document was prepared as an account of work sponsored by an agency

> > the United States Government. Neither the United States Government nor

> > University of California nor any of their employees, makes any warranty,
> > express or implied, or assumes any legal liability or responsibility for

> > accuracy, completeness, or usefulness of any information, apparatus,
> > product, or process disclosed, or represents that its use would not

> > privately owned rights. Reference herein to any specific commercial
> > products, process, or service by trade name, trademark, manufacturer, or
> > otherwise, does not necessarily constitute or imply its endorsement,
> > recommendation or favoring by the United States Government or the

> > of California. The views and opinions of authors expressed herein do not
> > necessarily state or reflect those of the United States Government or

> > University of California, and shall not be used for advertising or

> > endorsement purposes.

>
> --------------------------------------------------------------------------

> > ----
> > UCRL-MI-119788
> > [Privacy and Legal Notice]
> >
> >
> >

>
> Look at this site for some info about this worm.
>
>
> http://isc.sans.org/diary.html?date=2003-08-11
>
>
> --
> Claude

> http://www.ciac.org/ciac/bulletins/l-126.shtml
>
> Several people called me, in hysterical panic telling me their computers
> restarted, I was on LINUX at the moment and rebooted
> to XP to see how I could help them, to my amazment my computer restarted
> too!!!
>
> this was an ATTACK!!!! so I disabled the RPC services and I am posting

> for the people who are looking for solutions.
>
> What I did was firewalled XP, and disabled one of the RPC services and

> the other one to not be able to restart the computer.
> Then I did an XP update from the windows update site.
>
> Now my ps has not rebooted... I think this is creating GLOBAL chaos!!!
>
> Kenny
> www.computerboom.net
> www.talentgrid.com
>
>
>
>
> Privacy and Legal Notice
>
> INFORMATION BULLETIN
> L-126: Microsoft Remote Procedure Call (RPC) Server Vulnerability
> [Microsoft Security Bulletin MS01-041]
> July 30, 2001 17:00 GMT
> --------------------------------------------------------------------------
>
> PROBLEM: A malformed RPC request can cause a denial of service.
> PLATFORM: Those running any of the following products:
> a.. Microsoft Exchange Server 5.5
> b.. Microsoft Exchange Server 2000
> c.. Microsoft SQL Server 7.0
> d.. Microsoft SQL Server 2000
> e.. Microsoft Windows NT 4.0
> f.. Microsoft Windows 2000
>
> DAMAGE: The level of damage could range from minor (e.g., the

> temporarily hanging) to major (e.g., the service failing in a way that

> require the entire system to be restarted).
> SOLUTION: Apply the patches and proper firewalling as indicated in

> bulletin.
>
> --------------------------------------------------------------------------
>
> VULNERABILITY
> ASSESSMENT: The risk is LOW. Proper firewalling would help minimize
> the possibility of attacks by Internet-based users.
>
> --------------------------------------------------------------------------
>
> LINKS:
> CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/l-126.shtml
>
> --------------------------------------------------------------------------
>
>
> [***** Start Microsoft Security Bulletin MS01-041 *****]
>
> - ----------------------------------------------------------------------
> Title: Malformed RPC Request Can Cause Service Failure
> Date: 26 July 2001
> Software: Exchange Server 5.5, Exchange Server 2000,
> SQL Server 7.0, SQL Server 2000, Windows NT 4.0,
> Windows 2000
> Impact: Denial of service
> Bulletin: MS01-041
>
>
> Microsoft encourages customers to review the Security Bulletin at:
> http://www.microsoft.com/technet/sec...n/MS01-041.asp
> - ----------------------------------------------------------------------
>
>
> Issue:
> ======
> Several of the RPC servers associated with system services in
> Microsoft Exchange, SQL Server, Windows NT 4.0 and Windows 2000 do not
> adequately validate inputs, and in some cases will accept invalid
> inputs that prevent normal processing. The specific input values at
> issue here vary from RPC server to RPC server.
>
> An attacker who sent such inputs to an affected RPC server could
> disrupt its service. The precise type of disruption would depend on
> the specific service, but could range in effect from minor (e.g., the
> service temporarily hanging) to major (e.g., the service failing in a
> way that would require the entire system to be restarted).
>
>
> Mitigating Factors:
> ====================
> - Proper firewalling would help minimize an affected system's
> exposure to attack by Internet-based users. In general, a
> firewall should block access to all RPC services except
> those that are specifically intended for use by untrusted users.
>
>
> Patch Availability:
> ===================
> - A patch is available to fix this vulnerability. Please read the
> Security Bulletin
> http://www.microsoft.com/technet/sec...n/ms01-041.asp
> for information on obtaining this patch.
>
>
> Acknowledgment:
> ===============
> - Bindview's Razor Team (http://razor.bindview.com)
>
>
> - ---------------------------------------------------------------------
>
>
> THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
> "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
> WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
> MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
> SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
> WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
> LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION
> OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
> DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
> FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
> NOT APPLY.
>
> [***** End Microsoft Security Bulletin MS01-041 *****]
>
>
> --------------------------------------------------------------------------

> ----
> CIAC wishes to acknowledge the contributions of Microsoft for the
> information contained in this bulletin.
> --------------------------------------------------------------------------

> ----
> CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can
> be contacted at:
> Voice: +1 925-422-8193 (7 x 24)
> FAX: +1 925-423-8002
> STU-III: +1 925-423-2604
> E-mail: ciac@ciac.org
> World Wide Web: http://www.ciac.org/
> Anonymous FTP: ftp.ciac.org
>
> --------------------------------------------------------------------------

> ----
> This document was prepared as an account of work sponsored by an agency of
> the United States Government. Neither the United States Government nor the
> University of California nor any of their employees, makes any warranty,
> express or implied, or assumes any legal liability or responsibility for

> accuracy, completeness, or usefulness of any information, apparatus,
> product, or process disclosed, or represents that its use would not

> privately owned rights. Reference herein to any specific commercial
> products, process, or service by trade name, trademark, manufacturer, or
> otherwise, does not necessarily constitute or imply its endorsement,
> recommendation or favoring by the United States Government or the

> of California. The views and opinions of authors expressed herein do not
> necessarily state or reflect those of the United States Government or the
> University of California, and shall not be used for advertising or product
> endorsement purposes.
> --------------------------------------------------------------------------

> ----
> UCRL-MI-119788
> [Privacy and Legal Notice]
>
>