Dailydave mailing list archives
Information leak over RPC of a heap pointer to caller controlled data
From: "Rhys Kidd" <rhyskidd () gmail com>
Date: Mon, 28 Apr 2008 01:00:34 +0800
In late 2006 the following oddity was discovered in the Windows XP Server Service RPC interface; it has been resolved in Service Pack 3. When calling a number of functions on the srvsvc RPC interface (4B324fC8-1670-01D3-1278-5A47BF6EE188), the stub returned will contain a pointer to caller-controlled data on the heap. A classical information leak. Example functions that exhibit this behaviour include: - Opnum 0x00 - NetCharDevEnum (also detailed by Derek Soeder - http://research.eeye.com/html/Papers/download/eeyeMRV-Oct2006.pdf) - Opnum 0x01 - NetrCharDevQEnum (reported by myself to Microsoft) As was well explained in Derek's paper on uninitialised memory, these are of a class of memory retrieval issues, which allow some unique fingerprinting of remote memory structures and their locations. Demonstrations of this were built on top of Metasploit's RPC stack, and have been withheld from public disclosure until this point in time. For the curious, the patch causes the functions to mimic their Windows Server and Vista counterparts - which always returned 0x00200000 as the pointer value. I didn't place much further thought into this until Druid's paper on *Context-keyed Payload Encoding. *This method would allow a payload decoding key to be inserted ahead of time into the target's services.exe process, with a custom value and at a known offset. http://www.uninformed.org/?v=9&a=3 Now that XP SP3 has been widely released, and this information leak resolved, the two Metasploit modules are being released in the interests of further research. Rhys msf auxiliary(srvsvc_NetrCharDevQEnum_heap) > run [*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.58.128[\srvsvc] ... [*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np :192.168.58.128[\srvsvc] [*] Calling the vulnerable function NetrCharDevQEnum(), value=174 ... [*] Response received from remote target: [*] 01000000 01000000 00000000 00000000 fc765003 ae000000 32000000 <- 0x035076fc pointer to 0xae (174) data in memory [*] Auxiliary module execution completed
Attachment:
srvsvc_NetrCharDevEnum_heap.rb
Description:
Attachment:
srvsvc_NetrCharDevQEnum_heap.rb
Description:
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Information leak over RPC of a heap pointer to caller controlled data Rhys Kidd (Apr 28)