We all love to hate RPC – It is a necessary evil in most Microsoft based environments. Back in 1981, Bruce Nelson probably had no idea  that the concept would have been picked up by other large tech companies and still be kicking along some 40 years later. Unfortunately, there does not seem to have been much in the way of an uplift of security in all that time by our vendors – perhaps there have been some attempts, but we continue to see CVEs relating to RPC exploits in the wild.

If you’d like to look into better securing RPC, check out RPC Firewall by Zero Networks.
RPCFW is freely available as a download from Zero Networks Git Hub’s release page or if you’d like to tweak things, you can always download the source code over at their Git Hub Repository.

RPC Firewall 2.0 tutorial

Whilst you can do some of this already with NetSH, this nifty package offers so much more and I encourage you to check out their blog post about it. It may surprise you to learn how many RPC Interfaces (UUIDs) are laying in wait for bad actors to attempt to leverage unhanded exceptions and exploits.

The team at Zero Networks have put together a tutorial on how to use RPCFW 2.0:

Zero Networks have been kind enough to put together some example configuration files that can be used to block and/or alert on ‘nasties’ like Petit-Potam and a few others.

BE AWARE: Some of these UUIDs are important for certain tasks so be sure to baseline any system before applying any restrictions. An example of this would be in relation to Printing – if you are applying restrictions to a print server, you may not be able to apply the printer related restrictions to that system. This is all discussed in the the Zero Networks blog post on RPC Firewall 2.0.

Which UUIDs relate to which vulnerability?

As best as possible, the list of UUIDs outlined in the example config template files have been mapped out below:

UUIDNotesProtocol NameElementDescription
338cd001-2244-31f1-aaaa-900038001003Session Enumeration through Remote RegistryMS-RRP\PIPE\winregRPC Interface UUID
99fcfec4-5260-101b-bbcb-00aa0021347aRelaying NTLM auth over RPCMS-DCOMIID_IObjectExporter RPC Interface UUID for IObjectExporter
000001A0-0000-0000-C000-000000000046Creation of PsEXEC processMS-DCOMIID_IRemoteSCMActivatorRPC Interface UUID for IRemoteSCMActivator
00000131-0000-0000-C000-000000000046Creation of PsEXEC processMS-DCOMIID_IRemUnknownRPC Interface UUID for IRemUnknown
00000143-0000-0000-C000-000000000046Creation of PsEXEC processMS-DCOMIID_IRemUnknown2RPC Interface UUID for IRemUnknown2
1FF70682-0A51-30E8-076D-740BE8CEE98BRemote Code ExecutionMS-TSCHGUID_ATSvcATSvc UUID version 1.0
378E52B0-C0A9-11CF-822D-00AA0051E40FRemote Code ExecutionMS-TSCHGUID_SASecSASec UUID version 1.0
86D35949-83C9-4044-B424-DB363231FD0CRemote Code ExecutionMS-TSCHGUID_ITaskSchedulerServiceITaskSchedulerService UUID version 1.0
f6beaff7-1e19-4fbb-9f8f-b89e2018337cMS-EVEN6EventlogRPC Interface UUID
82273FDC-E32A-18C3-3F78-827929DC23EAMS-EVEN\PIPE\eventlogRPC Interface UUID
50abc2a4-574d-40b3-9d66-ee4fd5fba076RPC Remote Buffer OverflowMS-DNSP\PIPE\DNSSERVERRPC Interface UUID for DNS
76f03f96-cdfd-44fc-a22c-64950a001209Print NightmareMS-PARUUIDRPC Interface for PAR
12345678-1234-abcd-ef00-0123456789abPrint NightmareMS-RPRN\PIPE\spoolssRPC Interface UUID
0b6edbfa-4a24-4fc6-8a23-942b1eca65d1Print NightmareMS-PAN IRPCAsyncNotifyRPC Interface UUID for the IRPCAsyncNotify Interface
ae33069b-a2a8-46ee-a235-ddfd339be281Print NightmareMS-PANIRPCRemoteObjectRPC Interface UUID
88143fd0-c28d-4b2b-8fef-8d882f6a9390MS-TSTS\PIPE\LSM_API_service
\PIPE\UNIFIED_API_service
LSM Enumeration
5ca4a760-ebb1-11cf-8611-00a0245420edMS-TSTS\PIPE\Ctx_WinStation_API_serviceLegacy (Legacy.idl)
484809d6-4239-471b-b5bc-61df8c23ac48MS-TSTS \PIPE\LSM_API_service
\PIPE\UNIFIED_API_service
LSM Session (tspubrpc.idl)
bde95fdf-eee0-45de-9e12-e5a61cd0d4feMS-TSTS\PIPE\TermSrv_API_serviceTermSrv (RCMPublic.idl)
497d95a6-2d27-4bf5-9bbd-a6046957133cMS-TSTS\PIPE\TermSrv_API_serviceTermSrv Listener (RCMPublic.idl)
367ABB81-9844-35F1-AD32-98F038001003Creation of PsEXEC processMS-SCMR\PIPE\svcctlRPC Interface UUID
8f09f000-b7ed-11ce-bbd2-00001a181cadSMB remote Code Execution (ERRATICGOPHER)MS-RRASMDIMSVCRPC Interface UUID for DIMSVC
20610036-fa22-11cf-9823-00a0c911e5dfService OverflowMS-RRASMRASRPCRPC Interface UUID for RASRPC
66a2db1b-d706-11d0-a37b-00c04fc9da04MS-RRASMIRemoteNetworkConfig RPC Interface UUID for IRemoteNetworkConfig
66a2db20-d706-11d0-a37b-00c04fc9da04
MS-RRASMIRemoteRouterRestartRPC Interface UUID for IRemoteRouterRestart
66a2db21-d706-11d0-a37b-00c04fc9da04
MS-RRASMIRemoteSetDnsConfig RPC Interface for IRemoteSetDnsConfig
66a2db22-d706-11d0-a37b-00c04fc9da04
MS-RRASMIRemoteICFICSConfig RPC Interface UUID for IRemoteICFICSConfig
67e08fc2-2984-4b62-b92e-fc1aae64bbbbMS-RRASMIRemoteStringIdConfig RPC Interface UUID for IRemoteStringIdConfig
6139d8a4-e508-4ebb-bac7-d7f275145897
MS-RRASMIRemoteIPV6Config RPC Interface UUID for IRemoteIPV6Config
5ff9bdf6-bd91-4d8b-a614-d6317acc8dd8
MS-RRASMIRemoteSstpCertCheck RPC Interface UUID for IRemoteSstpCertCheck
df1941c5-fe89-4e79-bf10-463657acf44dPetitPotamMS-EFSR\pipe\efsrpcEFSRPC Interface UUID
c681d488-d850-11d0-8c52-00c04fd90f7ePetitPotamMS-EFSR\pipe\lsarpcLSARPC Interface UUID
11899a43-2b68-4a76-92e3-a3d6ad8c26ce
MS-TSTS\PIPE\LSM_API_service
\PIPE\UNIFIED_API_service
LSM Notification (tspubrpc.idl)
53b46b02-c73b-4a3e-8dee-b16b80672fc0MS-TSTS\PIPE\TSVIP_ServiceTSVIPPublic (TSVIPRpc.idl)
1257B580-CE2F-4109-82D6-A9459D0BF6BCMS-TSTS\PIPE\SessEnvPublicRpcSessEnvPublicRpc (SessEnvRpc.idl)

 

This table is a work in progress -more entries still to come.
Happy “secured” RPCing  🙂

The featured photo for this post is by Patrick Hendry on Unsplash

LEAVE A REPLY

Please enter your comment!
Please enter your name here