Latest news
Risks
Microsoft RPC Heap Corruption Vulnerability
11 September 2003
Release Date:
September 10, 2003
Severity:
High (Remote Code Execution)
Systems Affected:
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Server 4.0
Microsoft Windows NT Server 4.0, Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Description:
eEye Digital Security has discovered a critical remote vulnerability in the way Microsoft Windows handles certain RPC requests.
The RPC (Remote Procedure Call) protocol provides an inter-process communication mechanism allowing a program running on one computer to execute code on a remote system. The vulnerability exists within the DCOM (Distributed Component Object Model) RPC interface. This interface handles DCOM object activation requests sent by client machines to the server. By sending a malformed request packet it is possible to overwrite various heap structures and allow the execution of arbitrary code.
Note: This vulnerability differs from the vulnerability publicized in Microsoft Bulletin MS03-026 (http://www.microsoft.com/technet/security/bulletin/MS03-026.asp). This is a new vulnerability, and a different patch that must be installed.
Technical Description:The vulnerability can be replicated with a DCERPC "bind" packet, followed by a malformed DCERPC DCOM object activation request packet. Issuing the API function CoGetInstanceFromFile can generate the required request. By manipulating the length fields within the activation packet, portions of heap memory can be overwritten with user-defined data.
Sending between four and five activation packets is generally sufficient to trigger the overwrite. Upon sending the sequence of packets, eEye was able to continually cause an exception within the usual suspect RtlAllocateHeap:
PAGE:77FC8F11 mov [ecx], eax
PAGE:77FC8F13 mov [eax+4], ecx
By controlling the values of the registers eax and ecx, it is possible to write an arbitrary dword to any address.
Execution of code can be achieved through a number of means, for instance through the unhandledexceptionfilter or a PEB locking pointer. For this specific vulnerability, the most reliable route was to overwrite a pointer within the writeable .data section of RPCSS.DLL:
.data:761BC254 off_761BC254 dd offset loc_761A1AE7 ; DATA XREF:
sub_761A19EF+1C_r
.data:761BC254 ; sub_761A19EF+11D_w
...
.data:761BC258 off_761BC258 dd offset loc_761A1B18 ; DATA XREF:
sub_761A19EF+108_w
.data:761BC258 ; sub_761A1DCF+13_r
...
At runtime these two pointers reference RtlAllocateHeap and RtlFreeHeap respectively. By overwriting offset 0x761BC258 with our chosen EIP value, we control the processor directly after the heap overwrite. As a result of choosing this pointer, we have data from our received packet at ebp->10h which is possible modify, within reason. There is one small obstacle that must be overcome: the first word value at that address is the length field of our packet, and this field must translate to an opcode sequence that will allow the data that follows to be reached.
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability:
http://www.eeye.com/html/Products/Retina/index.html
Also eEye has updated its free RPC scanner tool to check for this second vulnerability:
http://www.eeye.com/html/Research/Tools/RPCDCOM.html
Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is available at:
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-039.asp
Credit:
Discovery: Barnaby Jack
Additional Research: Barnaby Jack and Riley Hassell
Greetings:
Thanks to Riley, and utmost respect to all of the eEye massive - masters of the black arts. Greets to all the new people I met in Vegas this year, especially the NZ crew, and many thanks to K2 (da bankrolla). :) "This is my line. This is eternal." -AFI
Copyright (c) 1998-2003 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
Feedback
Please send suggestions, updates, and comments to:
eEye Digital Security
http://www.eEye.com
info@eEye.com
September 10, 2003
Severity:
High (Remote Code Execution)
Systems Affected:
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Server 4.0
Microsoft Windows NT Server 4.0, Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Description:
eEye Digital Security has discovered a critical remote vulnerability in the way Microsoft Windows handles certain RPC requests.
The RPC (Remote Procedure Call) protocol provides an inter-process communication mechanism allowing a program running on one computer to execute code on a remote system. The vulnerability exists within the DCOM (Distributed Component Object Model) RPC interface. This interface handles DCOM object activation requests sent by client machines to the server. By sending a malformed request packet it is possible to overwrite various heap structures and allow the execution of arbitrary code.
Note: This vulnerability differs from the vulnerability publicized in Microsoft Bulletin MS03-026 (http://www.microsoft.com/technet/security/bulletin/MS03-026.asp). This is a new vulnerability, and a different patch that must be installed.
Technical Description:The vulnerability can be replicated with a DCERPC "bind" packet, followed by a malformed DCERPC DCOM object activation request packet. Issuing the API function CoGetInstanceFromFile can generate the required request. By manipulating the length fields within the activation packet, portions of heap memory can be overwritten with user-defined data.
Sending between four and five activation packets is generally sufficient to trigger the overwrite. Upon sending the sequence of packets, eEye was able to continually cause an exception within the usual suspect RtlAllocateHeap:
PAGE:77FC8F11 mov [ecx], eax
PAGE:77FC8F13 mov [eax+4], ecx
By controlling the values of the registers eax and ecx, it is possible to write an arbitrary dword to any address.
Execution of code can be achieved through a number of means, for instance through the unhandledexceptionfilter or a PEB locking pointer. For this specific vulnerability, the most reliable route was to overwrite a pointer within the writeable .data section of RPCSS.DLL:
.data:761BC254 off_761BC254 dd offset loc_761A1AE7 ; DATA XREF:
sub_761A19EF+1C_r
.data:761BC254 ; sub_761A19EF+11D_w
...
.data:761BC258 off_761BC258 dd offset loc_761A1B18 ; DATA XREF:
sub_761A19EF+108_w
.data:761BC258 ; sub_761A1DCF+13_r
...
At runtime these two pointers reference RtlAllocateHeap and RtlFreeHeap respectively. By overwriting offset 0x761BC258 with our chosen EIP value, we control the processor directly after the heap overwrite. As a result of choosing this pointer, we have data from our received packet at ebp->10h which is possible modify, within reason. There is one small obstacle that must be overcome: the first word value at that address is the length field of our packet, and this field must translate to an opcode sequence that will allow the data that follows to be reached.
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability:
http://www.eeye.com/html/Products/Retina/index.html
Also eEye has updated its free RPC scanner tool to check for this second vulnerability:
http://www.eeye.com/html/Research/Tools/RPCDCOM.html
Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is available at:
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-039.asp
Credit:
Discovery: Barnaby Jack
Additional Research: Barnaby Jack and Riley Hassell
Greetings:
Thanks to Riley, and utmost respect to all of the eEye massive - masters of the black arts. Greets to all the new people I met in Vegas this year, especially the NZ crew, and many thanks to K2 (da bankrolla). :) "This is my line. This is eternal." -AFI
Copyright (c) 1998-2003 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
Feedback
Please send suggestions, updates, and comments to:
eEye Digital Security
http://www.eEye.com
info@eEye.com
Spotlight
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Ransomware adds password stealing to its arsenal
Posted on 17 May 2013. | Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Hacking charge stations for electric cars
Posted on 15 May 2013. | Ofer Shezaf talks about what charge stations really are, why they have to be ‘smart’ and the potential risks created to the grid, to the car and most importantly to its owner’s privacy and safety.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
