4.10.14. RPC locator service

The RPC locator service runs one RPC service, available on the following endpoint:

Y:\>ifids -p ncacn_np -e \pipe\locator \\.
Interfaces: 3
  d6d70ef0-0e3b-11cb-acc3-08002b1d29c3 v1.0
  d3fbb514-0e3b-11cb-8fad-08002b1d29c3 v1.0
  d6d70ef0-0e3b-11cb-acc3-08002b1d29c4 v1.0

Table 4.58. NsiS operations

InterfaceOperation numberOperation name
d6d70ef0-0e3b-11cb-acc3-08002b1d29c3 v1.0: NsiS  
 0x00nsi_binding_export
 0x01nsi_binding_unexport

Table 4.59. NsiC operations

InterfaceOperation numberOperation name
d3fbb514-0e3b-11cb-8fad-08002b1d29c3 v1.0: NsiC  
 0x00nsi_binding_lookup_begin
 0x01nsi_binding_lookup_done
 0x02nsi_binding_lookup_next
 0x03nsi_mgmt_handle_set_exp_age

Table 4.60. NsiM operations

InterfaceOperation numberOperation name
d6d70ef0-0e3b-11cb-acc3-08002b1d29c4 v1.0: NsiM  
 0x00nsi_group_delete
 0x01nsi_group_mbr_add
 0x02nsi_group_mbr_remove
 0x03nsi_group_mbr_inq_begin
 0x04nsi_group_mbr_inq_next
 0x05nsi_group_mbr_inq_done
 0x06nsi_profile_delete
 0x07nsi_profile_elt_add
 0x08nsi_profile_elt_remove
 0x09nsi_profile_elt_inq_begin
 0x0ansi_profile_elt_inq_next
 0x0bnsi_profile_elt_inq_done
 0x0cnsi_entry_object_inq_begin
 0x0dnsi_entry_object_inq_next
 0x0ensi_entry_object_inq_done
 0x0fnsi_entry_expand_name
 0x10nsi_mgmt_binding_unexport
 0x11nsi_mgmt_entry_delete
 0x12nsi_mgmt_entry_create
 0x13nsi_mgmt_entry_inq_if_ids
 0x14nsi_mgmt_inq_exp_age
 0x15nsi_mgmt_inq_set_age

A vulnerability in the locator service was published by David Litchfield in January 2003 [75]. It was fixed by the MS03-001 Microsoft security patch [76].

As the locator named pipe is one of the named pipe that can be accessed in the context of a NULL session, this vulnerability can be exploited remotely without any authentication.