The RPC locator service runs one RPC service, available on the following endpoint:
Y:\>ifids -p ncacn_np -e \pipe\locator \\. Interfaces: 3 d6d70ef0-0e3b-11cb-acc3-08002b1d29c3 v1.0 d3fbb514-0e3b-11cb-8fad-08002b1d29c3 v1.0 d6d70ef0-0e3b-11cb-acc3-08002b1d29c4 v1.0
Table 4.58. NsiS operations
| Interface | Operation number | Operation name |
|---|---|---|
| d6d70ef0-0e3b-11cb-acc3-08002b1d29c3 v1.0: NsiS | ||
| 0x00 | nsi_binding_export | |
| 0x01 | nsi_binding_unexport |
Table 4.59. NsiC operations
| Interface | Operation number | Operation name |
|---|---|---|
| d3fbb514-0e3b-11cb-8fad-08002b1d29c3 v1.0: NsiC | ||
| 0x00 | nsi_binding_lookup_begin | |
| 0x01 | nsi_binding_lookup_done | |
| 0x02 | nsi_binding_lookup_next | |
| 0x03 | nsi_mgmt_handle_set_exp_age |
Table 4.60. NsiM operations
| Interface | Operation number | Operation name |
|---|---|---|
| d6d70ef0-0e3b-11cb-acc3-08002b1d29c4 v1.0: NsiM | ||
| 0x00 | nsi_group_delete | |
| 0x01 | nsi_group_mbr_add | |
| 0x02 | nsi_group_mbr_remove | |
| 0x03 | nsi_group_mbr_inq_begin | |
| 0x04 | nsi_group_mbr_inq_next | |
| 0x05 | nsi_group_mbr_inq_done | |
| 0x06 | nsi_profile_delete | |
| 0x07 | nsi_profile_elt_add | |
| 0x08 | nsi_profile_elt_remove | |
| 0x09 | nsi_profile_elt_inq_begin | |
| 0x0a | nsi_profile_elt_inq_next | |
| 0x0b | nsi_profile_elt_inq_done | |
| 0x0c | nsi_entry_object_inq_begin | |
| 0x0d | nsi_entry_object_inq_next | |
| 0x0e | nsi_entry_object_inq_done | |
| 0x0f | nsi_entry_expand_name | |
| 0x10 | nsi_mgmt_binding_unexport | |
| 0x11 | nsi_mgmt_entry_delete | |
| 0x12 | nsi_mgmt_entry_create | |
| 0x13 | nsi_mgmt_entry_inq_if_ids | |
| 0x14 | nsi_mgmt_inq_exp_age | |
| 0x15 | nsi_mgmt_inq_set_age |
A vulnerability in the locator service was published by David Litchfield in January 2003 [75]. It was fixed by the MS03-001 Microsoft security patch [76].
As the locator named pipe is one of the named pipe that can be accessed in the context of a NULL session, this vulnerability can be exploited remotely without any authentication.