06 Apr, 2023

Remote Procedure Call (RPC)

Penetration Testing as a service (PTaaS)

Tests security measures and simulates attacks to identify weaknesses.

RPC stands for Remote Procedure Call. It is a protocol that allows one computer program to execute code on another computer without the programmer having to explicitly code for communication between the two. In other words, RPC enables a program to call a function on a remote computer as if it were a local function call. This is often used in client-server applications or distributed systems where multiple computers need to communicate with each other. RPC is widely used in modern networking protocols such as HTTP, NFS, and DCOM.

RPC common ports

Port 135: This port is used by the Remote Procedure Call (RPC) service that runs on the Windows operating system. It is used for various Windows services and can be vulnerable to attack.

Port 111: This port is used by the RPC service on Unix-based systems, including Linux and Solaris. It is used for various system services such as NFS (Network File System) and NIS (Network Information Service).

Port 139: This port is used by the NetBIOS (Network Basic Input/Output System) service on Windows-based systems. NetBIOS is used for file and printer sharing, as well as for some other Windows networking services.

Port 445: This port is used by the SMB (Server Message Block) protocol, which is used for file and printer sharing on Windows-based systems.

Port 2049: This port is used by the NFS protocol, which is used for file sharing on Unix-based systems.

Standard commands from unauthorized users

Enumerate services. Unauthorized users may try to enumerate the services running on a system by using the “EnumServicesStatus” command. This can allow them to identify vulnerable services or services that they can exploit to gain further access.

Stop services. Unauthorized users may try to stop critical services on a system by using the “ControlService” command. This can cause system instability or even a denial of service (DoS) attack.

Execute arbitrary code. Unauthorized users may try to execute arbitrary code on a system by using the “CreateProcess” or “ShellExecute” commands. This can allow them to gain remote access to the system or perform other malicious actions.

Access files. Unauthorized users may try to access files on a system by using the “OpenFile” or “CreateFile” commands. This can allow them to access sensitive information or modify critical system files.

Tools for using protocol RPC

Manual Tools:

  • Rpcdump: A Windows command-line tool that allows users to view information about RPC services and their endpoints.

  • Rpcinfo: A Unix-based command-line tool that provides information about RPC services on a remote system, including their names, ports, and versions.

  • Portqry: A Windows command-line tool that can be used to query ports and determine whether they are open or closed.

  • Netcat: A Unix-based command-line tool that allows users to create network connections and send data across them. It can be used to test RPC services by sending custom requests.

  • Wireshark: A network protocol analyzer that can be used to capture and analyze network traffic. It can be used to inspect RPC traffic and identify potential vulnerabilities.

  • Nmap: A network exploration and security auditing tool that can be used to scan for open ports and identify potential security risks.

  • Metasploit: A penetration testing framework that includes various modules for testing RPC services and identifying potential vulnerabilities.

  • Fuzzing tools: Tools such as Peach Fuzzer, Sulley, and American Fuzzy Lop can be used to test RPC services by generating random input data and identifying potential vulnerabilities.

Automated Tools:

  • RPCScan: A tool that can be used to scan for open RPC ports and identify potential vulnerabilities.

  • RPCView: A Windows-based tool that can be used to view information about RPC services and endpoints, as well as the processes that are using them.

  • RPCSMB: A tool that can be used to test SMB-based RPC services and identify potential vulnerabilities.

  • rpcclient: A Unix-based command-line tool that can be used to interact with SMB-based RPC services and test for potential vulnerabilities.

  • Impacket: A collection of Python scripts that can be used to interact with SMB-based RPC services and test for potential vulnerabilities.

  • ZMap: A network scanner that can be used to quickly scan large networks for open RPC ports.

  • Masscan: A fast port scanner that can be used to scan for open RPC ports on large networks.

  • OpenVAS: A vulnerability scanner that can be used to scan for potential vulnerabilities in RPC services and other network components.

  • Nessus: A vulnerability scanner that can be used to scan for potential vulnerabilities in RPC services and other network components.

Browser plugins:

  • OWASP ZAP: A popular open-source web application security testing tool that includes a browser plugin for testing RPC services.

  • Burp Suite: A popular web application security testing tool that includes a browser plugin for testing RPC services.

  • Chrome RPC Debugger: A Chrome browser extension that allows users to inspect and debug RPC traffic.

Last five known CVE for RPC

• CVE-2023-24908 – Remote Procedure Call Runtime Remote Code Execution Vulnerability 

• CVE-2023-24869 – Remote Procedure Call Runtime Remote Code Execution Vulnerability

• CVE-2023-23405 – Remote Procedure Call Runtime Remote Code Execution Vulnerability

• CVE-2023-21708 – Remote Procedure Call Runtime Remote Code Execution Vulnerability

• CVE-2023-21525 – Remote Procedure Call Runtime Denial of Service Vulnerability.

Useful information

– Remote Procedure Call (RPC) is a protocol that allows a program running on one computer to call a subroutine on another computer without having to understand the network details. It is commonly used in client/server applications, where the client sends a request to the server and the server responds with a result.

– RPC uses a combination of Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) to transmit data between processes. TCP is used for reliable data transmission, while UDP is used for fast transmission with no guarantee of delivery.

– RPC uses dynamic port allocation, which means that the port used for communication can change each time a connection is made. This can make it difficult to configure firewalls and other security measures to allow RPC traffic.

– RPC is used extensively in Microsoft Windows operating systems, where it is used for a wide range of system functions, including file and printer sharing, remote procedure calls, and distributed component object model (DCOM) communication.

– RPC allows for the creation of distributed applications, where components of the application run on different computers and communicate with each other using RPC calls.

– RPC is vulnerable to a variety of security threats, including denial-of-service (DoS) attacks, buffer overflows, and authentication bypasses. It is important to secure RPC communications by implementing proper authentication and access control mechanisms.

– To configure RPC on a Windows system, you can use the RPC Configuration tool, which allows you to configure the ports and protocols used by RPC, as well as to view the status of RPC services on the system.

– RPC has several variants, including ONC RPC (used in Unix/Linux environments), DCE RPC (used in some legacy systems), and XML-RPC (used in web services and APIs).

– Some common tools used for testing RPC include Wireshark, Rpcclient, Metasploit Framework, and Nmap, among others.

– RPC can be used to create a wide range of applications, including distributed databases, distributed file systems, and distributed computing systems.

Known banners

Microsoft Windows RPC: “Microsoft Windows RPC” or “Windows RPC” followed by the version number. For example, “Microsoft Windows RPC (unimodem) (unknown version)”.

Samba RPC: “Samba” followed by the version number. For example, “Samba 4.0.0beta2”.

Sun RPC: “SunRPC” followed by the version number. For example, “SunRPC 2.0”.

NFS RPC: “NFS” followed by the version number. For example, “NFS 3.0”.

Apache XML-RPC: “Apache XML-RPC” followed by the version number. For example, “Apache XML-RPC 3.1.3”.

JBoss EJBInvokerServlet: “JBossAS” or “JBoss Enterprise Application Platform” followed by the version number and “EJBInvokerServlet”. For example, “JBossAS 4.2.0.GA (build: SVNTag=JBoss_4_2_0_GA date=200710261339)/JBossWeb-2.0/EJBInvokerServlet”.

PHP XML-RPC: “PHP XML-RPC” followed by the version number. For example, “PHP XML-RPC 1.5.5”.

Books for studies RPC

“Distributed Systems: Principles and Paradigms” by Andrew Tanenbaum and Maarten van Steen – This book provides a comprehensive overview of distributed systems, including a chapter on RPC. It covers the basics of RPC as well as advanced topics such as fault tolerance and security.

“UNIX Network Programming” by W. Richard Stevens – This classic book on network programming includes a chapter on RPC. It covers the basics of RPC as well as advanced topics such as authentication and performance tuning.

“Windows Internals, Part 2: Covering Windows Server 2008 R2 and Windows 7” by Mark Russinovich, David Solomon, and Alex Ionescu – This book is focused on the internals of the Windows operating system, but includes a chapter on RPC. It covers the RPC subsystem in detail, including the various components and protocols used.

“Programming Windows: Writing Windows 8 Apps With C# and XAML” by Charles Petzold – This book is focused on programming Windows 8 apps, but includes a chapter on Windows Communication Foundation (WCF), which is Microsoft’s implementation of RPC. It covers the basics of WCF as well as advanced topics such as message security and reliability.

“Java RMI” by William Grosso – This book is focused on Java RMI, which is Java’s implementation of RPC. It covers the basics of RMI as well as advanced topics such as object serialization and remote class loading.

“XML-RPC: Programming Web Applications with Perl and Python” by Edd Dumbill – This book is focused on XML-RPC, which is a lightweight implementation of RPC that uses XML for data encoding. It covers the basics of XML-RPC as well as advanced topics such as authentication and error handling.

List of Payload for RPC

  • Simple RPC request: This payload sends a simple RPC request to the server. It can be used to test if the RPC service is running and responding correctly.

  • Buffer overflow: This payload is designed to overflow a buffer in the RPC service’s memory and execute malicious code. Buffer overflows are a common attack vector for RPC services.

  • Denial-of-service (DoS): This payload is designed to flood the RPC service with traffic to overload the server and cause it to crash or become unresponsive. DoS attacks can be used to disrupt legitimate services and cause downtime.

  • Man-in-the-middle (MitM): This payload is designed to intercept and modify RPC traffic between the client and server. MitM attacks can be used to steal data or execute malicious code on the server.

  • Directory traversal: This payload is designed to exploit directory traversal vulnerabilities in the RPC service. Directory traversal attacks can be used to access sensitive files on the server or execute arbitrary code.

  • Command injection: This payload is designed to exploit command injection vulnerabilities in the RPC service. Command injection attacks can be used to execute arbitrary commands on the server.

  • SQL injection: This payload is designed to exploit SQL injection vulnerabilities in the RPC service. SQL injection attacks can be used to access or modify sensitive data in the server’s database.

Mitigation

  1. One of the biggest security risks associated with RPC is the use of weak authentication. To mitigate this risk, use strong authentication methods such as Kerberos or SSL/TLS to ensure that only authorized users can access the system.

  2. Limit access to RPC services to only those systems and users that need it. This can be done by using firewalls or access control lists (ACLs) to restrict access to the RPC service.

  3. Ensure that all software associated with the RPC protocol is up to date with the latest security patches. This includes both the operating system and any applications that use the RPC protocol.

  4. Monitor network traffic for any unusual activity or traffic patterns that could indicate a potential security breach. This can be done through the use of intrusion detection systems (IDS) or security information and event management (SIEM) tools.

  5. To protect sensitive data transmitted over the RPC protocol, consider using encryption to ensure that data is not intercepted or manipulated in transit.

  6. Disable any RPC services that are not needed to reduce the attack surface.

Conclusion

Remote Procedure Call (RPC) is a protocol used for communication between networked devices that allows a program to execute code on a remote system as if it were running locally. RPC is widely used in distributed systems and client-server architectures, making it an important technology for modern computing.

RPC has several advantages, including its ability to simplify distributed computing by abstracting the complexity of network communication, and its support for multiple programming languages and platforms. It is also a well-established and widely used technology with a large community of developers and users.

Other Services

Ready to secure?

Let's get in touch