ISS X-Force Database: msrpc-name-pipe-null-information-disclosure(21286): MSRPC named pipe NULL session information disclosure

MSRPC named pipe NULL session information disclosure

msrpc-name-pipe-null-information-disclosure (21286)

Medium Risk

Description:

Microsoft Windows NT 4.0 and 2000 could allow a remote attacker to obtain sensitive information caused by a vulnerability in the processing of named pipes for NULL sessions. A remote attacker can initiate the svcctl RPC interface to connect to the Service Control Manager and determine which servers are installed or currently running on the targeted system, or possibly cause the system to start or stop the Windows service.

Platforms Affected:

Microsoft, Windows 2000
Microsoft, Windows NT 4.0

Remedy:

For Windows 2000 systems:
Apply the Update Rollup 1 for Windows 2000, as listed in Microsoft Knowledge Base Article 891861. See References.

As a workaround, modify specific registry entries and configuration options as listed in Microsoft Knowledge Base Article 842209. See References.

Consequences:

Obtain Information

References:

Herv� Schauer Consultants Web site, MSRPC null sessions: exploitation and protection at http://www.hsc.fr/ressources/presentations/null_sessions/msrpc_null_sessions.pdf.
Microsoft Knowledge Base Article 842209, You receive an "Access is denied" error message when you try to access an event log on a Windows Server 2003-based computer or on a Windows 2000-based computer at http://support.microsoft.com/kb/842209.
Microsoft Knowledge Base Article 891861, Update Rollup 1 for Windows 2000 SP4 at http://support.microsoft.com/kb/891861.
BID-14177: Microsoft Windows MSRPC SVCCTL Service Enumeration Vulnerability
BID-14178: Microsoft Windows MSRPC Eventlog Information Disclosure Vulnerability
CVE-2005-2150: Windows NT 4.0 and Windows 2000 before URP1 for Windows 2000 SP4 does not properly prevent NULL sessions from accessing certain alternate named pipes, which allows remote attackers to (1) list Windows services via svcctl or (2) read eventlogs via eventlog.
SA14189: Windows Anonymous Named Pipe Connection Information Disclosure
SECTRACK ID: 1014417: Microsoft Windows Named Pipe NULL Session Bugs in svcctl and eventlog RPC Interfaces Disclose Information to Remote Users

Reported:

Jul 07, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page