Re: [NTSEC] Forwarded From Bugtraq: NT4 bug? Or bug in my

[mikenel () netcom com (Michael Nelson)]

It appears that the RPC subsystem isn't gracefully handling bad packets sent to the
DCE RPC/MSRPC endpoint mapper at port 135.

If you are not hosting RPC applications that need to be available via TCP or UDP, you can
temporarily fix this problem by changing the following named values in the registry. . .

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\ServerProtocols: ncacn_ip_tcp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\ServerProtocols: ncadg_ip_udp

The named values currently contain "rpcltscm.dll"; change it to something like "rpcltscm.dll-xxx" so
that it is easy to restore if you need to. This will disable incoming RPC requests over TCP/IP and
UDP/IP (but not over SMB).

As usual, reboot your machine for these changes to take effect.

-mike

-----Original Message-----
From:   Ken Robson [SMTP:krobson () usa net]
Sent:   Wednesday, January 22, 1997 10:31 AM
To:     'ntsecurity () iss net'; 'luttgenj () kic or jp'
Subject:        [NTSEC] Forwarded From Bugtraq: NT4 bug? Or bug in my hardware? {ntsecurity}

Hi Folks,

I have repeated this here on compaq proliant's, etc.

Thanks,

Ken.

----------
From:   Jason T. Luttgens[SMTP:luttgenj () kic or jp]
Sent:   21 January 1997 21:25
To:     Multiple recipients of list BUGTRAQ
Subject:        NT4 bug? Or bug in my hardware?

Can anyone confirm this? On an NT4 server (maybe workstation too, I don't have it to try),
if you telnet to port 135, type a bunch of junk (say 10-20 characters), hit enter and disconnect,
the server's processor utilization will go up to 100%!!! The only fix I found was to reboot.
I tried with and without SP2.....same result. The installation is 'out of the box' with standard
default install options, of course including TCP/IP. I have no other NT4 servers to try this on
and was wondering if I could get someone to try and confirm this .....

Luck