RPC Spoofing Denial of Service on Windows NT

A security vulnerability exists in the way that Microsoft® Windows NT® processes bad Remote Procedure Call (RPC) datagrams which would allow a malicious attacker to send a RPC datagram to a server and spoof the return address so that the datagram appears to have come from another server. This tricks the two servers into erroneously sending RPC error messages to each other causing a temporary loop resulting in high CPU utilization and network bandwidth until the bad packets are discarded.

Issue

It is possible for a malicious attacker to send spoofed RPC datagrams to UDP destination port 135 so that it appears as if one RPC server sent bad data to another RPC server. The second server returns a REJECT packet and the first server (the spoofed server) replies with another REJECT packet creating a loop that is not broken until a packet is dropped, which could take a few minutes. If this spoofed UDP packet is sent to multiple computers, a loop could possibly be created, consuming processor resources and network bandwidth.

The following are additional notes about this issue:

• It is relatively easy to detect a malicious attack of this kind by using a network analyzer to watch for bad RPC packets. Also, during an attack, the RPCSS.EXE service will consume a very large amount of CPU cycles (during an active, on-going attack, it will consume 100% of CPU cycles.)
• Systems that are currently in an error loop (sending error messages back and forth) will recover by themselves shortly after the attacker has stopped sending spoofed packets.
• If two systems are currently in an error loop (sending error messages back and forth) momentarily disconnecting one system from the network will cause an end to that loop, since UDP packets are connectionless.
• These error packets are addressed to UDP port 135 and can be filtered at a corporate firewall to protect against external attackers.

Affected Products

• Windows NT Server, Terminal Server and Workstation 4.0

Solution

Users should upgrade to the latest Windows NT Service Pack (higher than SP3) to update their installation with the latest software patches.

Further Details

Source: Microsoft Corporation

Reference: Microsoft Corporation

Updated: September 29, 1998

>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<