Microsoft DCOM RPC Memory Leak Release Date: April 13, 2004 Date Reported: September 10, 2003 Severity: High (Remote Code Execution) Vendor: Microsoft Systems Affected: Microsoft Windows NT Workstation 4.0 Microsoft Windows NT Server 4.0 Microsoft Windows NT Server 4.0, Terminal Server Edition Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Description: eEye Digital Security has discovered a critical remote vulnerability in the way Microsoft Windows handles DCOM RPC requests. This vulnerability is a separate issue from vulnerabilities described in Microsoft Security Bulletins MS03-026 and MS03-039. The RPC (Remote Procedure Call) protocol provides an inter-process communication mechanism allowing a program running on one computer to execute code on a remote system. Distributed COM (DCOM) extends the usability of COM to support COM communication across a network with other computers. The DCOM RPC interface in charge of processing incoming RPC based DCOM activation requests has been prone to failure in the past. An issue in the DCOM interface dealing with direct memory allocation from a user supplied size can be exploited remotely to exhaust all available memory on a targeted machine, rendering it inoperable. Technical Description: After the DCOM activation request is unmarshalled it is passed off to the Activation class of functions within the rpcss.dll. A routine dealing with the class allocates a size specified in a length field within the request packet. This DWORD length field is not validated before allocation so any size can be chosen by the client issuing the activation request. Normally this buffer is released after the activation request as completed. If we choose an abnormally large size, one that is larger than the memory pool of the source buffer, we can cause an exception when the page boundary is hit. Like most exception handlers, no cleanup is performed due to the unpredictable nature of the exception. An attacker can exhaust all available memory on the remote machine within seconds, rendering it extremely unstable, if not totally inoperable. Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Vendor Status: Microsoft has released a patch for this vulnerability. The patch is available at: http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx. Credit: Discovery: Riley Hassell Additional Research: Riley Hassell and Barnaby Jack Related Links: Retina Network Security Scanner - Free 15 Day Trial http://www.eeye.com/html/Products/Retina/download.html Greetings: Gellanie and the Worlds Anthem, Marc Tobias, Jack Kozoil and authors from Shellcoders Handbook. Copyright (c) 1998-2004 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@xxxxxxxx for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Feedback Please send suggestions, updates, and comments to: eEye Digital Security http://www.eEye.com info@xxxxxxxx
<<winmail.dat>>