CVE-2004-0569

Vulnerability

The vulnerability resides in the RPC Runtime Library of Microsoft Windows NT 4.0 (all Service Packs). It arises from improper handling of length values in messages processed by the rpc_c_mgmt_inq_stats function. This flaw is present in Windows NT Server 4.0 Service Pack 6a and Windows NT Server 4.0 Terminal Server Edition Service Pack 6 [1][2]. The issue can be triggered without authentication by sending a specially crafted RPC message to an affected system.

Exploitation

An attacker can exploit this vulnerability remotely by sending a malicious RPC message to a vulnerable Windows NT 4.0 server. No authentication is required; the attacker only needs network access to the target's RPC service. By providing an extremely large length value in the RPC message, the attacker can cause the RPC server to read from inaccessible memory, leading to a crash (denial of service). Alternatively, by sending a message with a specific malformed length, the attacker can force the server to return active memory contents (information disclosure) [2].

Impact

Successful exploitation can result in either information disclosure or denial of service. An attacker can read portions of active memory from the address space of the RPC server process, potentially revealing sensitive data. An attacker can also cause the RPC server to crash, leading to a system stop or denial of service. The impact is limited to the RPC service; other services or the operating system kernel may be affected if the crash is not handled [1][2].

Mitigation

Microsoft released security bulletin MS04-029 to address this vulnerability. The fix was made available on October 12, 2004, as an update for Windows NT 4.0 Service Pack 6a and Windows NT 4.0 Terminal Server Edition Service Pack 6 [1]. Customers should apply the update at the earliest opportunity. There are no workarounds documented in the references. This vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.