TCP Dangerous Other

Port 135 (RPC)

Learn about port 135 (RPC) - security risks, vulnerabilities, and common uses. Find devices with port 135 open.

Quick Info

Port Number

135

Protocol

TCP

Service

RPC

IANA Name

RPC

Service Description

TCP port 135 is primarily associated with the Microsoft Remote Procedure Call (RPC) Endpoint Mapper service, also known as the Distributed Component Object Model (DCOM) Port Mapper. It acts as a directory for RPC services, allowing client applications to discover the dynamic ports assigned to specific RPC services running on a server. When a client initiates an RPC connection, it first connects to port 135 to query the Endpoint Mapper for the port number of the desired service. The Endpoint Mapper then provides the client with the dynamically assigned port number, enabling the client to establish a direct connection to the service. This dynamic port allocation is a key feature of RPC, allowing for flexibility and efficient resource utilization. The Endpoint Mapper itself operates using the DCE/RPC protocol. The initial connection to port 135 uses the DCE/RPC protocol to negotiate the communication parameters and authenticate the client.

The history of RPC and port 135 is intertwined with the evolution of distributed computing in Microsoft environments. It was initially designed to facilitate communication between different components and services within a network, enabling client applications to access resources and functionality on remote servers. Over time, RPC has become a fundamental building block for numerous Microsoft technologies, including Active Directory, Windows Management Instrumentation (WMI), and Distributed File System (DFS). While RPC itself is a powerful and versatile technology, its complexity and reliance on dynamic port allocation have also made it a target for security vulnerabilities and attacks. The Endpoint Mapper, acting as a central point of entry for RPC communication, has been a particular area of focus for attackers seeking to exploit weaknesses in the RPC infrastructure.

## Firewall Recommendations

Blocking port 135 on a firewall can significantly reduce the attack surface of a Windows system, especially from external networks. However, blocking it entirely can also disrupt the functionality of many legitimate applications and services that rely on RPC communication. Therefore, a more nuanced approach is recommended. If the port is being accessed from the internet, it should be blocked. Within a trusted network, restrict access to port 135 to only authorized systems and users. Use network segmentation to isolate critical systems and limit the scope of potential attacks. Implement intrusion detection and prevention systems (IDS/IPS) to monitor RPC traffic and detect malicious activity. Regularly patch and update Windows systems and applications to address known vulnerabilities in RPC and related components. Consider using RPC filtering or authentication mechanisms to further restrict access to RPC services and prevent unauthorized connections. Implement strong authentication and authorization policies for RPC services. Monitor RPC traffic for unusual patterns or suspicious activity. Use tools like Wireshark to analyze network traffic and identify potential vulnerabilities. Consider disabling RPC services that are not required. Finally, follow the principle of least privilege, granting users only the necessary permissions to access RPC resources.

Security Information

Port 135 presents several security risks due to its central role in RPC communication and its exposure to the network. The Endpoint Mapper can be exploited by attackers to enumerate RPC services running on a server, providing valuable information for reconnaissance and targeted attacks. Attackers can also attempt to spoof RPC requests or inject malicious code into RPC communication channels. A common attack vector involves exploiting vulnerabilities in specific RPC services or using the Endpoint Mapper to discover and target vulnerable services. The dynamic port allocation mechanism of RPC can also be abused to bypass firewall rules or establish unauthorized connections. Furthermore, the complexity of the RPC protocol and its reliance on multiple components make it challenging to secure and manage effectively. Because port 135 is the initial point of contact for many critical Windows services, successful exploitation can lead to privilege escalation, remote code execution, and denial-of-service attacks. Attackers target it because compromising it often provides a foothold into the entire system or network.

Known Vulnerabilities

CVE	Name	Severity	Description
CVE-2022-26809	Remote Procedure Call Runtime Remote Code Execution Vulnerability	Critical	An unauthenticated, remote attacker can execute arbitrary code on an affected system by sending a specially crafted RPC request to the server. This vulnerability exists in the RPC runtime library.
CVE-2018-0826	Windows RPC Elevation of Privilege Vulnerability	High	An elevation of privilege vulnerability exists in the way that the Windows Remote Procedure Call (RPC) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated privileges.
CVE-2017-0213	Windows COM Aggregate Marshaler Elevation of Privilege Vulnerability	High	An elevation of privilege vulnerability exists in Windows when the Windows COM Aggregate Marshaler improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context.
CVE-2016-7255	Elevation of Privilege Vulnerability in Windows	High	An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.