[<prev] [next>] [day] [month] [year] [list]
Message-ID: <7BE3FADD73E3734AA95BCA7AE4802F30573D70@hermes.eCompany.gov>
From: mmaiffret at eeye.com (Marc Maiffret)
Subject: EEYE: Microsoft DCOM RPC Memory Leak
Microsoft DCOM RPC Memory Leak
Release Date:
April 13, 2004
Date Reported:
September 10, 2003
Severity:
High (Remote Code Execution)
Vendor:
Microsoft
Systems Affected:
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Server 4.0
Microsoft Windows NT Server 4.0, Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Description:
eEye Digital Security has discovered a critical remote vulnerability in
the way Microsoft Windows handles DCOM RPC requests. This vulnerability
is a separate issue from vulnerabilities described in Microsoft Security
Bulletins MS03-026 and MS03-039.
The RPC (Remote Procedure Call) protocol provides an inter-process
communication mechanism allowing a program running on one computer to
execute code on a remote system. Distributed COM (DCOM) extends the
usability of COM to support COM communication across a network with
other computers. The DCOM RPC interface in charge of processing incoming
RPC based DCOM activation requests has been prone to failure in the
past. An issue in the DCOM interface dealing with direct memory
allocation from a user supplied size can be exploited remotely to
exhaust all available memory on a targeted machine, rendering it
inoperable.
Technical Description:
After the DCOM activation request is unmarshalled it is passed off to
the Activation class of functions within the rpcss.dll. A routine
dealing with the class allocates a size specified in a length field
within the request packet. This DWORD length field is not validated
before allocation so any size can be chosen by the client issuing the
activation request. Normally this buffer is released after the
activation request as completed. If we choose an abnormally large size,
one that is larger than the memory pool of the source buffer, we can
cause an exception when the page boundary is hit. Like most exception
handlers, no cleanup is performed due to the unpredictable nature of the
exception.
An attacker can exhaust all available memory on the remote machine
within seconds, rendering it extremely unstable, if not totally
inoperable.
Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.
Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx.
Credit:
Discovery: Riley Hassell
Additional Research: Riley Hassell and Barnaby Jack
Related Links:
Retina Network Security Scanner - Free 15 Day Trial
http://www.eeye.com/html/Products/Retina/download.html
Greetings:
Gellanie and the Worlds Anthem, Marc Tobias, Jack Kozoil and authors
from Shellcoders Handbook.
Copyright (c) 1998-2004 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@...e.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.
Feedback
Please send suggestions, updates, and comments to:
eEye Digital Security
http://www.eEye.com
info@...e.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 3981 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040413/2394a037/attachment.bin
Powered by blists - more mailing lists