Problem solve Get help with specific problems with your technologies, process and projects.

Hacking Windows: MSRPC vulnerabilities

In this book excerpt, learn why attackers are drawn to MSRPC exploits when conducting IIS attacks, and the weaknesses in MSRPC that enterprises struggle to secure.

Apparently frustrated by the gradual hardening of IIS over the years, hackers turned their attention to more fertile...

ground: Microsoft Remote Procedure Call (MSRPC) and the many programmatic interfaces it provides. MSRPC is derived from the Open Software Foundation RPC protocol, which has been implemented on other platforms for years. For those of you who are wondering why we include MSRPC under our discussion of proprietary Microsoft protocol attacks, MSRPC implements Microsoft-specific extensions that have historically separated it from other RPC implementations.

Many of these interfaces have been in Windows since its inception, providing plenty of attack surface for buffer-overflow exploits and the like. The MSRPC port mapper is advertised on TCP and UDP 135 by Windows systems, and cannot be disabled without drastically affecting the core functionality of the operating system. MSRPC interfaces are also available via other ports, including TCP/UDP 139, 445 or 593, and can also be configured to listen over a custom HTTP port via IIS or COM Internet Services.

In July of 2003, The Last Stage of Delirium Research Group published one of the first serious salvos signaling renewed interest in Windows proprietary networking protocols. LSD identified a stack buffer overflow in the RPC interface implementing Distributed Component Object Model services (DCOM). Even Windows Server 2003's buffer overflow protection countermeasures (the /GS flag) failed to protect it from this vulnerability.

Hacking Exposed, Fifth Edition: Network Security Secrets & Solutions

In this excerpt of Hacking Exposed, Fifth Edition: Network Security Secrets & Solutions, authors Stuart McClure, Joel Scambray and George Kurtz introduce MSRPC vulnerabilities.

By Stuart McClure, Joel Scambray, George Kurtz            692 pages; $49.99                     McGraw-Hill/Osborne

There were a number of exploits, viruses and worms that were published to take advantage of this vulnerability. One easy-to-use scanner is the Kaht II tool, which can be downloaded from Security Focus. Khat II can scan a range of IP addresses, remotely exploit each system vulnerable to the RPC vulnerability and send back a shell running as SYSTEM. Talk about fire and forget exploitation!

Read the rest of this excerpt for MSRPC countermeasures and more.

Next Steps

Learn how to prevent malware outbreaks in eight steps

Get information on how to Google hack Windows servers

Find out how to Google your Windows security vulnerabilities

This was last published in May 2005

Dig Deeper on Malware, virus, Trojan and spyware protection and removal