[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] EEYE: Microsoft RPC Heap Corruption Vulnerability - Part II

1.0.4 is not the latest version. Version 1.1.0 is the latest. Upgrade to

Again, if you think you have found a bug just contact us and we can help you

Marc Maiffret
Chief Hacking Officer
eEye Digital Security
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

| -----Original Message-----
| From: full-disclosure-admin@xxxxxxxxxxxxxxxx
| [mailto:full-disclosure-admin@xxxxxxxxxxxxxxxx]On Behalf Of
| Jeff.Urnaza@xxxxxxxxxxxxxxxxx
| Sent: Wednesday, September 10, 2003 1:26 PM
| To: Full-Disclosure
| Subject: Re: [Full-Disclosure] EEYE: Microsoft RPC Heap Corruption
| Vulnerability - Part II
| The version number in eEye's supposed *new* scanner is the same version
| number  as the one they release for the previous RPC exploit, v1.0.4.  In
| my initial tests of the scanner, it did not find any vulnerable hosts for
| the new RPC security hole on my network, except the ones that I already
| patched .....  strange .... looks like someone goofed on this one .....
| J
|                       "Marc Maiffret"
|                       <marc@xxxxxxxx>                    To:
|  "Full-Disclosure" <full-disclosure@xxxxxxxxxxxxxxxx>
|                       Sent by:                           cc:
|                       full-disclosure-admin@lists        Subject:
|  [Full-Disclosure] EEYE: Microsoft RPC Heap Corruption
|                       .netsys.com
| Vulnerability - Part II
|                       09/10/2003 10:50 AM
| Here we go again. :-o
| -Marc
| --------
| Microsoft RPC Heap Corruption Vulnerability - Part II
| Release Date:
| September 10, 2003
| Severity:
| High (Remote Code Execution)
| Systems Affected:
| Microsoft Windows NT Workstation 4.0
| Microsoft Windows NT Server 4.0
| Microsoft Windows NT Server 4.0, Terminal Server Edition
| Microsoft Windows 2000
| Microsoft Windows XP
| Microsoft Windows Server 2003
| Description:
| eEye Digital Security has discovered a critical remote vulnerability in
| the
| way Microsoft Windows handles certain RPC requests. The RPC (Remote
| Procedure Call) protocol provides an inter-process communication mechanism
| allowing a program running on one computer to execute code on a remote
| system.
| A vulnerability exists within the DCOM (Distributed Component Object
| Model)
| RPC interface. This interface handles DCOM object activation requests sent
| by client machines to the server.
| Note: this vulnerability differs from the vulnerability publicized in
| Microsoft Bulletin MS03-026.
| (http://www.microsoft.com/technet/security/bulletin/MS03-026.asp)
| This is a new vulnerability, and a different patch that must be installed.
| By sending a malformed request packet it is possible to overwrite various
| heap structures and allow the execution of arbitrary code.
| Technical Details:
| The vulnerability can be replicated with a DCERPC "bind" packet, followed
| by
| a malformed DCERPC DCOM object activation request packet. Issuing the API
| function CoGetInstanceFromFile can generate the required request. By
| manipulating the length fields within the activation packet, portions of
| heap memory can be overwritten with data which may be user-defined.
| Sending between 4 and 5 activation packets is generally sufficient to
| trigger the overwrite.
| Upon sending the sequence of packets we were able to continually cause an
| exception within the usual suspect RtlAllocateHeap:
| PAGE:77FC8F11                 mov     [ecx], eax
| PAGE:77FC8F13                 mov     [eax+4], ecx
| We control the values of the registers eax and ecx. We can write an
| arbitrary dword to any address of our choosing.
| Execution of code can be achieved through a number of means -- the
| unhandledexceptionfilter or a PEB locking pointer for instance. For this
| specific vulnerability the best route was to overwrite a pointer within
| the
| writeable .data section of RPCSS.DLL :
| .data:761BC254 off_761BC254    dd offset loc_761A1AE7  ; DATA XREF:
| sub_761A19EF+1C_r
| .data:761BC254                                         ;
| sub_761A19EF+11D_w
| ...
| .data:761BC258 off_761BC258    dd offset loc_761A1B18  ; DATA XREF:
| sub_761A19EF+108_w
| .data:761BC258                                         ; sub_761A1DCF+13_r
| ...
| At runtime these two pointers reference RtlAllocateHeap and RtlFreeHeap
| respectively. By overwriting offset 0x761BC258 with our chosen EIP value,
| we
| control the processor directly after the heap overwrite. The added benefit
| in choosing this pointer is we have data from our received packet at
| ebp->10h which we may modify to our liking, within reason. There is one
| small obstacle that must be overcome. The first word value at that address
| is the length field of our packet, this field must translate to an opcode
| sequence that will allow us to reach our data that follows.
| Protection:
| Retina Network Security Scanner has been updated to identify this
| vulnerability.
| http://www.eeye.com/html/Products/Retina/index.html
| Also our FREE RPC scanner tool has been updated to check for this second
| vulnerability.
| http://www.eeye.com/html/Research/Tools/RPCDCOM.html
| Vendor Status:
| Microsoft has released a patch for this vulnerability. The patch is
| available at:
| http://www.microsoft.com/technet/treeview/?url=/technet/security/b
| ulletin/MS
| 03-039.asp
| Credit:
| Discovery: Barnaby Jack
| Additional Research: Barnaby Jack and Riley Hassell.
| Greetings:
| Thanks to Riley, and utmost respect to all of the eEye massive - masters
| of
| the black arts.
| Greets to all the new people I met in Vegas this year, especially the NZ
| crew, and many thanks to K2 (da bankrolla.) :)
| "This is my line. This is eternal." -AFI
| Copyright (c) 1998-2003 eEye Digital Security
| Permission is hereby granted for the redistribution of this alert
| electronically. It is not to be edited in any way without express consent
| of
| eEye. If you wish to reprint the whole or any part of this alert in any
| other medium excluding electronic medium, please e-mail alert@xxxxxxxx for
| permission.
| Disclaimer
| The information within this paper may change without notice. Use of this
| information constitutes acceptance for use in an AS IS condition. There
| are
| NO warranties with regard to this information. In no event shall the
| author
| be liable for any damages whatsoever arising out of or in connection with
| the use or spread of this information. Any use of this information is at
| the
| user's own risk.
| Feedback
| Please send suggestions, updates, and comments to:
| eEye Digital Security
| http://www.eEye.com
| info@xxxxxxxx
| _______________________________________________
| Full-Disclosure - We believe in it.
| Charter: http://lists.netsys.com/full-disclosure-charter.html
| -----------------------------------------
| The information transmitted is intended only for the person or entity
| to which it is addressed and may contain confidential and/or
| privileged material. Any review, retransmission, dissemination or
| other use of, or taking of any action in reliance upon, this
| information by persons or entities other than the intended recipient
| is prohibited. If you received this in error, please contact the
| sender and delete the material from any computer.
| _______________________________________________
| Full-Disclosure - We believe in it.
| Charter: http://lists.netsys.com/full-disclosure-charter.html

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html