DOCUMENT:Q195733 TITLE :Denial of Service in Applications Using Named Pipes over RPC PRODUCT :Windows NT PROD/VER:4.0 OPER/SYS:WINDOWS NT KEYWORD :kbbug4.00 kbfix4.00 --------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Workstation version 4.0 - Microsoft Windows NT Server version 4.0 - Microsoft Windows NT Server, Enterprise Edition version 4.0 - Microsoft Windows NT Server 4.0, Terminal Server Edition --------------------------------------------------------------------- SYMPTOMS ======== Your Windows NT computer's responsiveness appears sluggish, and network clients may report a gradual decrease in system performance because of a Windows NT system process consuming 100 percent of CPU time. In addition, system memory usage may continually increase (potentially indicating a memory leak of system resources) up to the limit of available memory. The computer may stop responding (hang). CAUSE ===== This problem is caused by a malicious attack on the remote procedure call (RPC) components in Windows NT using named pipes transport. Specific instances of this denial of service attack may be targeted at either the Spoolss.exe file or Lsass.exe file. There are different variations of the attack and each may create multiple named pipe connections to a Windows NT system and send random data. The RPC service then attempts to send a response and close each connection. The RPC service then cycles into a 100 percent CPU usage loop closing the invalid connections. RESOLUTION ========== Windows NT Server and Workstation Windows NT Server, Enterprise Edition ------------------------------------- Microsoft has confirmed this problem could result in some degree of security vulnerability in Windows NT version 4.0. A fully supported fix is now available, but it has not been fully regression tested and should only be applied to systems determined to be at risk of attack. Please evaluate your system's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your system. If your system is sufficiently at risk, Microsoft recommends you apply this fix. Otherwise, wait for the next Windows NT service pack, which will contain this fix. Please contact Microsoft Technical Support for more information. To resolve this problem immediately, download the fix as described below. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web: http://support.microsoft.com/support/supportnet/default.asp The English version of this fix should have the following file attributes or later: Date Time Size File name Platform ----------------------------------------------------- 11/12/98 03:38p 12,048 Rpclts1.dll (x86) 11/12/98 03:37p 23,312 Rpclts1.dll (Alpha) This hotfix has been posted to the following Internet location as Nprpcfxi.exe (x86) and Nprpcfxa.exe (Alpha): ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/ hotfixes-postSP4/nprpc-fix/ NOTE: The above link is one path; it has been wrapped for readability. NOTE: If you contact Microsoft to obtain this fix, a fee may be charged. This fee is refundable if it is determined that you only require the fix you requested. However, this fee is non-refundable if you request additional technical support. For more information about eligibility for no-charge technical support, see the following article in the Microsoft Knowledge Base: ARTICLE-ID: Q154871 TITLE : Determining If Your Product Is Eligible for No-Charge Technical Support Windows NT Server 4.0, Terminal Server Edition ---------------------------------------------- Microsoft has confirmed this problem could result in some degree of security vulnerability in Windows NT version 4.0, Terminal Server Edition. A fully supported fix will be available soon. STATUS ====== Windows NT Server and Workstation Windows NT Server, Enterprise Edition ------------------------------------- Microsoft has confirmed this problem could result in some degree of security vulnerability in Windows NT version 4.0. Windows NT Server 4.0, Terminal Server Edition ---------------------------------------------- Microsoft has confirmed this problem could result in some degree of security vulnerability in Windows NT version 4.0, Terminal Server Edition. MORE INFORMATION ================ Using Windows NT Performance Monitor, you observe that, over time, the computer's CPU usage increases to 100 percent and remains there. Additional query words: 4.00 denial of service nprpcfix ============================================================================ THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.