CVE-2002-1561 in Windows
Summary
by MITRE
The RPC component in Windows 2000, Windows NT 4.0, and Windows XP allows remote attackers to cause a denial of service (disabled RPC service) via a malformed packet to the RPC Endpoint Mapper at TCP port 135, which triggers a null pointer dereference.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 09/04/2025
The vulnerability described in CVE-2002-1561 represents a critical remote code execution flaw within the Windows RPC (Remote Procedure Call) infrastructure that affects multiple operating systems including Windows 2000, Windows NT 4.0, and Windows XP. This vulnerability specifically targets the RPC Endpoint Mapper service which operates on TCP port 135 and serves as a central registry for RPC services on Windows systems. The flaw manifests when the system receives a malformed packet that triggers a null pointer dereference condition within the RPC endpoint mapper component, leading to an abrupt service termination that effectively disables the RPC service.
The technical exploitation of this vulnerability occurs through network-based attacks that send specially crafted packets to the target system's TCP port 135. When the RPC Endpoint Mapper processes these malformed packets, it fails to properly validate input data, resulting in a null pointer dereference error that crashes the service. This type of vulnerability falls under CWE-125, which describes the weakness of reading memory beyond the boundaries of a valid buffer, and specifically relates to improper input validation mechanisms within network services. The null pointer dereference represents a classic software flaw that occurs when a program attempts to access a memory location pointed to by a null reference, causing the application to crash and potentially leading to service unavailability.
The operational impact of this vulnerability extends beyond simple service disruption as it can severely compromise system availability and network infrastructure reliability. When the RPC service becomes disabled, it affects numerous critical system functions that depend on RPC communication protocols, including Windows Management Instrumentation, Distributed Component Object Model, and various network authentication mechanisms. This vulnerability can be particularly dangerous in enterprise environments where RPC services are heavily utilized for system management, remote administration, and distributed application communication. The attack vector requires no authentication and can be executed remotely, making it a significant threat that can be exploited by malicious actors without requiring privileged access to the target system.
The attack model for this vulnerability aligns with ATT&CK technique T1498, which describes the use of denial of service attacks to disrupt services and systems. This vulnerability specifically enables adversaries to perform service disruption attacks that can be part of broader network compromise operations. Organizations running affected systems are particularly vulnerable since the RPC Endpoint Mapper service is essential for normal system operations and is often exposed to network traffic without proper firewall restrictions. The vulnerability demonstrates a fundamental flaw in input validation and error handling within Microsoft's RPC implementation, highlighting the importance of robust security practices in network service development.
Mitigation strategies for this vulnerability should include immediate implementation of network segmentation and firewall rules that restrict access to TCP port 135 from untrusted networks, as recommended in the NIST SP 800-41 guidelines for network security. System administrators should ensure that all affected Windows systems are patched with the appropriate security updates from Microsoft, as this vulnerability was addressed through service packs and security updates for the affected operating systems. Additionally, implementing network monitoring solutions that can detect anomalous traffic patterns on port 135 can help identify potential exploitation attempts. The vulnerability underscores the necessity of proper input validation and error handling in network services, as outlined in the OWASP Top Ten security principles, and emphasizes the importance of maintaining up-to-date security patches across all enterprise systems. Organizations should also consider implementing intrusion detection systems that can identify and alert on malformed RPC packets that may indicate attempted exploitation of this vulnerability.