[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <MKEAIJIPCGAHEFEJGDOCEEDKMBAA.marc@eeye.com>
From: marc at eeye.com (Marc Maiffret)
Subject: EEYE: Microsoft RPC Heap Corruption Vulnerability - Part II
1.0.4 is not the latest version. Version 1.1.0 is the latest. Upgrade to
that.
Again, if you think you have found a bug just contact us and we can help you
out.
Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
| -----Original Message-----
| From: full-disclosure-admin@...ts.netsys.com
| [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of
| Jeff.Urnaza@...rydennison.com
| Sent: Wednesday, September 10, 2003 1:26 PM
| To: Full-Disclosure
| Subject: Re: [Full-Disclosure] EEYE: Microsoft RPC Heap Corruption
| Vulnerability - Part II
|
|
|
| The version number in eEye's supposed *new* scanner is the same version
| number as the one they release for the previous RPC exploit, v1.0.4. In
| my initial tests of the scanner, it did not find any vulnerable hosts for
| the new RPC security hole on my network, except the ones that I already
| patched ..... strange .... looks like someone goofed on this one .....
|
| J
|
|
|
|
|
| "Marc Maiffret"
|
| <marc@...e.com> To:
| "Full-Disclosure" <full-disclosure@...ts.netsys.com>
| Sent by: cc:
|
| full-disclosure-admin@...ts Subject:
| [Full-Disclosure] EEYE: Microsoft RPC Heap Corruption
| .netsys.com
| Vulnerability - Part II
|
|
|
|
| 09/10/2003 10:50 AM
|
|
|
|
|
|
|
|
|
| Here we go again. :-o
|
| -Marc
| --------
| Microsoft RPC Heap Corruption Vulnerability - Part II
|
| Release Date:
| September 10, 2003
|
| Severity:
| High (Remote Code Execution)
|
| Systems Affected:
| Microsoft Windows NT Workstation 4.0
| Microsoft Windows NT Server 4.0
| Microsoft Windows NT Server 4.0, Terminal Server Edition
| Microsoft Windows 2000
| Microsoft Windows XP
| Microsoft Windows Server 2003
|
| Description:
|
| eEye Digital Security has discovered a critical remote vulnerability in
| the
| way Microsoft Windows handles certain RPC requests. The RPC (Remote
| Procedure Call) protocol provides an inter-process communication mechanism
| allowing a program running on one computer to execute code on a remote
| system.
|
| A vulnerability exists within the DCOM (Distributed Component Object
| Model)
| RPC interface. This interface handles DCOM object activation requests sent
| by client machines to the server.
|
| Note: this vulnerability differs from the vulnerability publicized in
| Microsoft Bulletin MS03-026.
| (http://www.microsoft.com/technet/security/bulletin/MS03-026.asp)
| This is a new vulnerability, and a different patch that must be installed.
|
| By sending a malformed request packet it is possible to overwrite various
| heap structures and allow the execution of arbitrary code.
|
| Technical Details:
|
| The vulnerability can be replicated with a DCERPC "bind" packet, followed
| by
| a malformed DCERPC DCOM object activation request packet. Issuing the API
| function CoGetInstanceFromFile can generate the required request. By
| manipulating the length fields within the activation packet, portions of
| heap memory can be overwritten with data which may be user-defined.
|
| Sending between 4 and 5 activation packets is generally sufficient to
| trigger the overwrite.
|
| Upon sending the sequence of packets we were able to continually cause an
| exception within the usual suspect RtlAllocateHeap:
|
| PAGE:77FC8F11 mov [ecx], eax
| PAGE:77FC8F13 mov [eax+4], ecx
|
| We control the values of the registers eax and ecx. We can write an
| arbitrary dword to any address of our choosing.
|
| Execution of code can be achieved through a number of means -- the
| unhandledexceptionfilter or a PEB locking pointer for instance. For this
| specific vulnerability the best route was to overwrite a pointer within
| the
| writeable .data section of RPCSS.DLL :
|
| .data:761BC254 off_761BC254 dd offset loc_761A1AE7 ; DATA XREF:
| sub_761A19EF+1C_r
| .data:761BC254 ;
| sub_761A19EF+11D_w
| ...
| .data:761BC258 off_761BC258 dd offset loc_761A1B18 ; DATA XREF:
| sub_761A19EF+108_w
| .data:761BC258 ; sub_761A1DCF+13_r
| ...
|
| At runtime these two pointers reference RtlAllocateHeap and RtlFreeHeap
| respectively. By overwriting offset 0x761BC258 with our chosen EIP value,
| we
| control the processor directly after the heap overwrite. The added benefit
| in choosing this pointer is we have data from our received packet at
| ebp->10h which we may modify to our liking, within reason. There is one
| small obstacle that must be overcome. The first word value at that address
| is the length field of our packet, this field must translate to an opcode
| sequence that will allow us to reach our data that follows.
|
| Protection:
| Retina Network Security Scanner has been updated to identify this
| vulnerability.
| http://www.eeye.com/html/Products/Retina/index.html
| Also our FREE RPC scanner tool has been updated to check for this second
| vulnerability.
| http://www.eeye.com/html/Research/Tools/RPCDCOM.html
|
| Vendor Status:
| Microsoft has released a patch for this vulnerability. The patch is
| available at:
| http://www.microsoft.com/technet/treeview/?url=/technet/security/b
| ulletin/MS
|
| 03-039.asp
|
| Credit:
| Discovery: Barnaby Jack
| Additional Research: Barnaby Jack and Riley Hassell.
|
| Greetings:
| Thanks to Riley, and utmost respect to all of the eEye massive - masters
| of
| the black arts.
| Greets to all the new people I met in Vegas this year, especially the NZ
| crew, and many thanks to K2 (da bankrolla.) :)
| "This is my line. This is eternal." -AFI
|
| Copyright (c) 1998-2003 eEye Digital Security
| Permission is hereby granted for the redistribution of this alert
| electronically. It is not to be edited in any way without express consent
| of
| eEye. If you wish to reprint the whole or any part of this alert in any
| other medium excluding electronic medium, please e-mail alert@...e.com for
| permission.
|
| Disclaimer
| The information within this paper may change without notice. Use of this
| information constitutes acceptance for use in an AS IS condition. There
| are
| NO warranties with regard to this information. In no event shall the
| author
| be liable for any damages whatsoever arising out of or in connection with
| the use or spread of this information. Any use of this information is at
| the
| user's own risk.
|
| Feedback
| Please send suggestions, updates, and comments to:
|
| eEye Digital Security
| http://www.eEye.com
| info@...e.com
|
| _______________________________________________
| Full-Disclosure - We believe in it.
| Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
|
|
|
|
| -----------------------------------------
| The information transmitted is intended only for the person or entity
| to which it is addressed and may contain confidential and/or
| privileged material. Any review, retransmission, dissemination or
| other use of, or taking of any action in reliance upon, this
| information by persons or entities other than the intended recipient
| is prohibited. If you received this in error, please contact the
| sender and delete the material from any computer.
|
| _______________________________________________
| Full-Disclosure - We believe in it.
| Charter: http://lists.netsys.com/full-disclosure-charter.html
|
Powered by blists - more mailing lists