[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: NT RPC Service Bug
From:       David LeBlanc <dleblanc () iss ! net>
Date:       1997-01-22 21:21:12
[Download RAW message or body]

On 22 Jan 97 20:38:07 GMT, in maillist.bugtraq you wrote:

>  After you disconnect the rpcss.exe process will start consumming all
>available process cycles. NT does not allow you to kill rpcsss.exe even
>under normal operation. You must reboot the machine to get rid of it. You
>will still be able to launch other application (the NT schedualer will
>give them CPU time), but they will run very slowly and the CPU will stay
>at 100% utilization. The performance monitor shows that rougly rpcss.exe
>spends 20% of the time in user mode, and 80% of the time in system mode.

You can kill it if you use the right tool.  However, you may as well
reboot anyway.

Under NT 4.0, you can protect against this by going into Control
Panel, Networks, Protocols, TCP/IP Properties, Advanced, Enable
Security, Configure.  Then set it to only permit connections from
ports 137 and 139 (plus whatever else you need, like FTP).

We've tried this, and we can connect to the registry, event log,
service manager, user database, and map shares.  Frankly, I'm not sure
what good the RPC locator service really is.  Something will probably
break, but this is a better alternative than being at 100% CPU.

I have spoken with people at MS, and they tell me a fix is "immenent"
- maybe we'll actually see a patch in a few days.

Feel free to echo this to bugtraq.  I've already posted this
information to the ntsecurity list.

[prev in list] [next in list] [prev in thread] [next in thread]