4.16. MSRPC vulnerabilities

4.16. MSRPC vulnerabilities
Prev	Chapter 4. MSRPC, a.k.a. Microsoft implementation of DCE RPC	Next

Over the last years, several security vulnerabilities were discovered in the Windows MSRPC subsystem.

Follows a list of Microsoft security patches that fixed vulnerabilities related to MSRPC, either in the MSRPC subsystem or in system components running MSRPC services:

MS98-014: RPC Spoofing Denial of Service on Windows NT (CVE-1999-0969)
MS98-017: Named Pipes Over RPC Vulnerability (CVE-1999-1127)
MS99-020: Malformed LSA Request Vulnerability (CVE-1999-0721)
MS99-055: Malformed Resource Enumeration Argument Vulnerability (CVE-1999-0980)
MS99-057 Malformed Security Identifier Request Vulnerability (CVE-1999-0995)
MS00-003 Spoofed LPC Port Request Vulnerability (CVE-2000-0070)
MS00-040 Remote Registry Access Authentication Vulnerability (CVE-2000-0377)
MS00-062 Local Security Policy Corruption Vulnerability (CVE-2000-0771)
MS00-066 Malformed RPC Packet Vulnerability
MS00-070 Multiple LPC and LPC Ports Vulnerabilities
MS01-041 Malformed RPC Request Can Cause Service Failure (CVE-2001-0509)
MS01-048 Malformed Request to RPC Endpoint Mapper can Cause RPC Service to Fail (CVE-2001-0662)
MS03-001 Unchecked Buffer in Locator Service Could Lead to Code Execution (CVE-2003-0003)
MS03-010 Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks (CVE-2002-1561)
MS03-026 Buffer Overrun in RPC Interface Could Allow Code Execution (CVE-2003-0352)
MS03-039 Buffer Overrun in RPCSS Service Could Allow Code Execution (CVE-2003-0528, CVE-2003-0605, CVE-2003-0715)
MS03-043 Buffer Overrun in Messenger Service Could Allow Code Execution (CVE-2003-0717)
MS03-049 Buffer Overrun in the Workstation Service Could Allow Code Execution (CVE-2003-0812)
MS04-011 LSASS vulnerability (CVE-2003-0533)
MS04-012 RPC Runtime Library Vulnerability, RPCSS Service Vulnerability, COM Internet Services (CIS) - RPC over HTTP Vulnerability, Object Identity Vulnerability (CVE-2003-0807, CVE-2003-0813, CVE-2004-0116, CVE-2004-0124)
MS04-029 Vulnerability in RPC Runtime Library Could Allow Information Disclosure and Denial of Service (CVE-2004-0569)
MS04-031 Vulnerability in NetDDE Could Allow Remote Code Execution (CVE-2004-0206)
MS04-044 Windows Kernel Vulnerability (CVE-2004-0893)
MS05-007 Vulnerability in Windows Could Allow Information Disclosure (CVE-2005-0051)
MS05-010 Vulnerability in the License Logging Service Could Allow Code Execution (CVE-2005-0050)
MS05-017 Vulnerability in Message Queuing Could Allow Code Execution (CVE-2005-0059)
MS05-039 Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (CVE-2005-1983)
MS05-040 Vulnerability in Telephony Service Could Allow Remote Code Execution (CVE-2005-0058)
MS05-043 Vulnerability in Print Spooler Service Could Allow Remote Code Execution (CVE-2005-1984)
MS05-046 Vulnerability in the Client Service for NetWare Could Allow Remote Code Execution (CVE-2005-1985)
MS05-047 Vulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege (CVE-2005-2120)
MS05-051 Vulnerability in MSDTC and COM+ Could Allow Remote Code Execution (CVE-2005-2119)
MS06-008 Vulnerability in Web Client Service Could Allow Remote Code Execution (CVE-2006-0013)
MS06-018 Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (CVE-2006-0034, CVE-2006-1184)

The following table lists the MSRPC interfaces that were affected by vulnerabilities:

Table 4.135. Vulnerabilities in MSRPC interfaces

Microsoft Security Bulletin	Publication Date	Affected MSRPC interface(s)	Affected software	Reference
MS99-020	June 23, 1999	lsarpc	Windows NT 4.0	CVE-1999-0721
MS99-055	December 09, 1999	srvsvc	Windows NT 4.0	CVE-1999-0980
MS99-057	December 16, 1999	lsarpc	Windows NT 4.0	CVE-1999-0995
MS00-040	June 08, 2000	winreg	Windows NT 4.0	CVE-2000-0377
MS00-062	August 28, 2000	lsarpc	Windows 2000	CVE-2000-0771
MS01-041	July 26, 2001	Multiple interfaces	Windows NT 4.0, 2000, Exchange, SQL Server	CVE-2001-0509
MS01-048	September 10, 2001	epmp	Windows NT 4.0	CVE-2001-0662
MS03-001	January 22, 2003	locator	Windows NT 4.0, 2000, XP	CVE-2003-0003
MS03-010	March 26, 2003	epmp	Windows NT 4.0, 2000, XP	CVE-2002-1561
MS03-026	July 16, 2003	ISystemActivator, IRemoteActivation (IActivation)	Windows NT 4.0, 2000, XP, Server 2003	CVE-2003-0352
MS03-039	September 10, 2003	ISystemActivator, IRemoteActivation (IActivation)	Windows NT 4.0, 2000, XP, Server 2003	CVE-2003-0528, CVE-2003-0605, CVE-2003-0715
MS03-043	October 15, 2003	msgsvc	Windows NT 4.0, 2000, XP, Server 2003	CVE-2003-0717
MS03-049	November 11, 2003	wkssvc	Windows 2000, XP	CVE-2003-0812
MS04-011	April 13, 2004	dssetup	Windows 2000, XP	CVE-2003-0533
MS04-012	April 13, 2004	IRemoteActivation (IActivation)	Windows 2000, XP	CVE-2004-0116, CVE-2004-0124
MS04-031	October 12, 2004	nddeapi	Windows NT 4.0, 2000, XP, Server 2003	CVE-2004-0206
MS05-007	February 8. 2005	srvsvc	Windows XP	CVE-2005-0051
MS05-010	February 8, 2005	llsrpc	Windows NT 4.0, 2000, Server 2003	CVE-2005-0050
MS05-017	April 12, 2005	qmcomm	Windows 2000, XP SP1	CVE-2005-0059
MS05-039	August 9, 2005	pnp	Windows 2000, XP, Server 2003	CVE-2005-1983
MS05-040	August 9, 2005	tapsrv	Windows 2000, XP, Server 2003	CVE-2005-0058
MS05-043	August 9, 2005	spoolss	Windows 2000, XP, Server 2003	CVE-2005-1984
MS05-046	October 11, 2005	nwwks	Windows 2000, XP, Server 2003	CVE-2005-1985
MS05-047	October 11, 2005	pnp	Windows 2000, XP	CVE-2005-2120
MS05-051	October 11, 2005	IXnRemote	Windows 2000, XP, Server 2003	CVE-2005-2119
MS06-008	February 14, 2006	davclntrpc	Windows XP, Server 2003	CVE-2006-0013
MS06-018	May 9, 2006	IXnRemote	Windows 2000, XP, Server 2003	CVE-2006-0034, CVE-2006-1184

Interesting security advisories related to MSRPC:

Multiple remote DoS vulnerabilities in Microsoft DCE/RPC deamons (Todd Sabin, July 2001)
Windows 2000 DCOM clients may leak sensitive information onto the network (Todd Sabin, April 2002)
DCE RPC Vulnerabilities New Attack Vectors Analysis (Javier Kohen, Juliano Rizzo, December 2003)
Anonymous attackers can force DCOM applications into listening on the network (Todd Sabin, October 2004)

Other MSRPC-related bugs:

Telnet to Port 135 Causes 100 Percent CPU Usage (Windows NT 4.0)
Denial of Service in Applications Using RPC over Named Pipes (Windows NT 4.0)
A truncated Samba server response causes an access violation in the Lsass.exe program on a Windows XP-based client computer (Windows XP)

Prev	Up	Next
4.15. RPC interfaces restriction in Windows XP SP2, Windows Server 2003 SP1 and later versions	Home	4.17. MSRPC network traffic