Sonicwall Signatures

Category: RPC

RPC Description

This SonicWALL IPS signature category consists of a group of signatures that can detect and prevent intrusions targeted at RPC servers. RPC or Remote Procedure Call servers allow remote computers to request that the server perform particular functions for them. A client computer or caller sends a request including arguments to the RPC server using the RPC protocal, and the server responds with the results of the operation. Unfortunately, because of the level of complexity involved in such an interactive system, a number of vulnerabilites have been discovered that attackers can exploit, allowing them to cause RPC servers to crash, or to gain complete control of them.

A majority of the signatures in this category detect normal RPC traffic that can be abused by attackers before or during an attack. For example, before a caller computer can make an RPC request to a server, it needs to first know which programs the server is willing to run and which ports it will use to accept requests. A program called portmap is often used to perform this function, but attackers can often it to locate vulnerable RPC systems to attack as well. The first set of signatures in this category is designed to detect such portmap requests so that administrators can recognize unexpected or suspicious requests as a sign that an RPC attack is imminent or in progress. These signatures that detect normal RPC traffic are low-priority and are by default set to detect.

The rest of the signatures in this category recognize malicious RPC requests. Most such requests involve buffer overflow or format string attacks that exploit vulnerabilities in the software handling RPC calls. By sending malformed arguments with an RPC request, attackers can cause the RPC handler to malfunction. Sometimes this results in a crash, causing a denial of service for client computers reliant on the server to perform vital functions. In other instances, this results in the attacker gaining control over the server when it executes code that was included in the request. In these cases, attackers can exploit trust relationships between the server and its client computers by, for example, providing malicious code in response to legitimate RPC requests.

Other requests recognized by this category are less serious. The directory traversal attempts, for example, allow attackers to send a specially crafted request that gives them access to files contained on the server. These attacks can still be very damaging, especially if sensitive information is stored on the RPC server.

The signatures in this category that contain actual exploit code are classified from low- to high-priority depending on the risk that an attack will succeed and the amount of damage that it can cause. When enabled for prevention, these signatures can prevent malicious requests from reaching RPC servers. Still, administrators should note that patches are available for most of the vulnerabilities exploited by RPC attacks, and that SonicWALL signatures should be used in conjunction with good patching practices to provide maximum security for RPC servers.