Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Information leak over RPC of a heap pointer to caller controlled data

From: "Rhys Kidd" <rhyskidd () gmail com>
Date: Mon, 28 Apr 2008 01:00:34 +0800
In late 2006 the following oddity was discovered in the Windows XP Server
Service RPC interface; it has been resolved in Service Pack 3.

When calling a number of functions on the srvsvc RPC interface
(4B324fC8-1670-01D3-1278-5A47BF6EE188), the stub returned will contain a
pointer to caller-controlled data on the heap. A classical information leak.


Example functions that exhibit this behaviour include:

   - Opnum 0x00 - NetCharDevEnum (also detailed by Derek Soeder -
   http://research.eeye.com/html/Papers/download/eeyeMRV-Oct2006.pdf)
   - Opnum 0x01 - NetrCharDevQEnum (reported by myself to Microsoft)

As was well explained in Derek's paper on uninitialised memory, these are of
a class of memory retrieval issues, which allow some unique fingerprinting
of remote memory structures and their locations.

Demonstrations of this were built on top of Metasploit's RPC stack, and have
been withheld from public disclosure until this point in time. For the
curious, the patch causes the functions to mimic their Windows Server and
Vista counterparts - which always returned 0x00200000 as the pointer value.

I didn't place much further thought into this until Druid's paper on
*Context-keyed
Payload Encoding. *This method would allow a payload decoding key to be
inserted ahead of time into the target's services.exe process, with a custom
value and at a known offset.

http://www.uninformed.org/?v=9&a=3

Now that XP SP3 has been widely released, and this information leak
resolved, the two Metasploit modules are being released in the interests of
further research.

Rhys


msf auxiliary(srvsvc_NetrCharDevQEnum_heap) > run
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.58.128[\srvsvc]
...
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np
:192.168.58.128[\srvsvc]

[*] Calling the vulnerable function NetrCharDevQEnum(), value=174 ...
[*] Response received from remote target:

[*] 01000000 01000000 00000000 00000000 fc765003 ae000000 32000000 <-
0x035076fc pointer to 0xae (174) data in memory

[*] Auxiliary module execution completed

Attachment: srvsvc_NetrCharDevEnum_heap.rb
Description:

Attachment: srvsvc_NetrCharDevQEnum_heap.rb
Description: 

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: