Microsoft is getting off to a hot start in 2003. Its first Security Bulletin of the year (MS03-01) is rated critical because it addresses a flaw that can open up Windows NT 4 and Windows 2000 servers to arbitrary code execution by a remote attacker. This is a buffer overrun problem that is related to an unchecked buffer in the Locator service. A malformed request can cause the service to fail or run arbitrary code.

This vulnerability affects:

  • Microsoft Windows NT 4.0
  • Microsoft Windows NT 4.0, Terminal Server Edition
  • Microsoft Windows 2000
  • Microsoft Windows XP

To learn whether a particular installation is vulnerable, look up the status of the RPC Locator in the Windows Services applet (Control Panel | Administrative Tools | Services, in Win2K and WinXP, or Control Panel | Services in NT 4.0). Check the Startup column. If it says Automatic, the service starts by default. If it says Manual, it must be manually started.

To see a list of Windows services that are actually running at any time, simply open a command line and run net start. If Remote Procedure Call (RPC) Locator doesn’t show up on the list, it isn’t running.

Risk level–moderate to critical
For Windows NT 4.0 and Windows 2000 workstations and Terminal Server Edition, as well as for all Windows XP installations, Microsoft rates this as a moderate threat. For NT 4.0 and Win2K domain controllers, this is a critical threat.

Mitigating factors
The Locator service is enabled by default only on Windows 2000 and NT 4.0 domain controllers. Firewalls that block NetBIOS traffic would eliminate any opportunity for a remote attack using this flaw from outside. The network would remain vulnerable to an internal attack or to an external attack if there is no properly configured firewall and the Locator service is running.

Microsoft strongly recommends that NT 4.0 and Win2K domain controllers be patched immediately, while other affected systems should be patched “at the earliest opportunity.” See MS03-01 for links to the various available patches.

As a workaround, you can simply disable the Locator service if you don’t use it. Anyone with administrative access can set the RpcLocator service status to Disabled in the Services applet. To halt the Locator service from the command line, use the Sc.exe utility. For a description of this utility, just run sc. The command syntax is sc stop rpclocator. You can do this regardless of whether the service is running. If it isn’t, you’ll get the error message, “The service has not been started.”

To disable the service, Microsoft says to use this syntax: sc config rpclocator start= disabled. If successful, you will get a message similar to this: [SC] ChangeServiceConfig SUCCESS.

Sc.exe is included with WinXP and is a part of the Windows 2000 Resource Kit.

A Microsoft challenge
This is an example of the kind of vulnerability that is practically forced on Microsoft by the demands for backward compatibility with older products. That’s not an excuse for bad coding, but it does lead to a complex situation in which Microsoft must not only fix any new software but must also go back and fix all the known (and as-yet-undiscovered problems) in any software that the company still supports or with which the new software has to be backward compatible.

Final word
If you have a firewall in place, it should already be configured to block remote access to the Locator service. If it hasn’t been, this is a good opportunity to update the settings.

Looking at the bigger picture, the best way to mitigate problems with services such as this one is to make sure you don’t enable any services by default, adding them only as needed. That puts a major burden on administrators—something that’s critical to remember when looking at a lot of these security threats. Microsoft installations tend to be more vulnerable, in part because lots of services are enabled by default. As a result, software is generally easier to install and configure and may require less skill on the part of administrators. By contrast, Linux/UNIX has a security advantage because it doesn’t enable as many services by default and generally requires more skill to install.