Full Disclosure mailing list archives
RE: EEYE: Microsoft RPC Heap Corruption Vulnerability - Part II
From: "Marc Maiffret" <marc () eeye com>
Date: Wed, 10 Sep 2003 15:24:38 -0700
1.0.4 is not the latest version. Version 1.1.0 is the latest. Upgrade to that. Again, if you think you have found a bug just contact us and we can help you out. Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities | -----Original Message----- | From: full-disclosure-admin () lists netsys com | [mailto:full-disclosure-admin () lists netsys com]On Behalf Of | Jeff.Urnaza () averydennison com | Sent: Wednesday, September 10, 2003 1:26 PM | To: Full-Disclosure | Subject: Re: [Full-disclosure] EEYE: Microsoft RPC Heap Corruption | Vulnerability - Part II | | | | The version number in eEye's supposed *new* scanner is the same version | number as the one they release for the previous RPC exploit, v1.0.4. In | my initial tests of the scanner, it did not find any vulnerable hosts for | the new RPC security hole on my network, except the ones that I already | patched ..... strange .... looks like someone goofed on this one ..... | | J | | | | | | "Marc Maiffret" | | <marc () eeye com> To: | "Full-Disclosure" <full-disclosure () lists netsys com> | Sent by: cc: | | full-disclosure-admin@lists Subject: | [Full-Disclosure] EEYE: Microsoft RPC Heap Corruption | .netsys.com | Vulnerability - Part II | | | | | 09/10/2003 10:50 AM | | | | | | | | | | Here we go again. :-o | | -Marc | -------- | Microsoft RPC Heap Corruption Vulnerability - Part II | | Release Date: | September 10, 2003 | | Severity: | High (Remote Code Execution) | | Systems Affected: | Microsoft Windows NT Workstation 4.0 | Microsoft Windows NT Server 4.0 | Microsoft Windows NT Server 4.0, Terminal Server Edition | Microsoft Windows 2000 | Microsoft Windows XP | Microsoft Windows Server 2003 | | Description: | | eEye Digital Security has discovered a critical remote vulnerability in | the | way Microsoft Windows handles certain RPC requests. The RPC (Remote | Procedure Call) protocol provides an inter-process communication mechanism | allowing a program running on one computer to execute code on a remote | system. | | A vulnerability exists within the DCOM (Distributed Component Object | Model) | RPC interface. This interface handles DCOM object activation requests sent | by client machines to the server. | | Note: this vulnerability differs from the vulnerability publicized in | Microsoft Bulletin MS03-026. | (http://www.microsoft.com/technet/security/bulletin/MS03-026.asp) | This is a new vulnerability, and a different patch that must be installed. | | By sending a malformed request packet it is possible to overwrite various | heap structures and allow the execution of arbitrary code. | | Technical Details: | | The vulnerability can be replicated with a DCERPC "bind" packet, followed | by | a malformed DCERPC DCOM object activation request packet. Issuing the API | function CoGetInstanceFromFile can generate the required request. By | manipulating the length fields within the activation packet, portions of | heap memory can be overwritten with data which may be user-defined. | | Sending between 4 and 5 activation packets is generally sufficient to | trigger the overwrite. | | Upon sending the sequence of packets we were able to continually cause an | exception within the usual suspect RtlAllocateHeap: | | PAGE:77FC8F11 mov [ecx], eax | PAGE:77FC8F13 mov [eax+4], ecx | | We control the values of the registers eax and ecx. We can write an | arbitrary dword to any address of our choosing. | | Execution of code can be achieved through a number of means -- the | unhandledexceptionfilter or a PEB locking pointer for instance. For this | specific vulnerability the best route was to overwrite a pointer within | the | writeable .data section of RPCSS.DLL : | | .data:761BC254 off_761BC254 dd offset loc_761A1AE7 ; DATA XREF: | sub_761A19EF+1C_r | .data:761BC254 ; | sub_761A19EF+11D_w | ... | .data:761BC258 off_761BC258 dd offset loc_761A1B18 ; DATA XREF: | sub_761A19EF+108_w | .data:761BC258 ; sub_761A1DCF+13_r | ... | | At runtime these two pointers reference RtlAllocateHeap and RtlFreeHeap | respectively. By overwriting offset 0x761BC258 with our chosen EIP value, | we | control the processor directly after the heap overwrite. The added benefit | in choosing this pointer is we have data from our received packet at | ebp->10h which we may modify to our liking, within reason. There is one | small obstacle that must be overcome. The first word value at that address | is the length field of our packet, this field must translate to an opcode | sequence that will allow us to reach our data that follows. | | Protection: | Retina Network Security Scanner has been updated to identify this | vulnerability. | http://www.eeye.com/html/Products/Retina/index.html | Also our FREE RPC scanner tool has been updated to check for this second | vulnerability. | http://www.eeye.com/html/Research/Tools/RPCDCOM.html | | Vendor Status: | Microsoft has released a patch for this vulnerability. The patch is | available at: | http://www.microsoft.com/technet/treeview/?url=/technet/security/b | ulletin/MS | | 03-039.asp | | Credit: | Discovery: Barnaby Jack | Additional Research: Barnaby Jack and Riley Hassell. | | Greetings: | Thanks to Riley, and utmost respect to all of the eEye massive - masters | of | the black arts. | Greets to all the new people I met in Vegas this year, especially the NZ | crew, and many thanks to K2 (da bankrolla.) :) | "This is my line. This is eternal." -AFI | | Copyright (c) 1998-2003 eEye Digital Security | Permission is hereby granted for the redistribution of this alert | electronically. It is not to be edited in any way without express consent | of | eEye. If you wish to reprint the whole or any part of this alert in any | other medium excluding electronic medium, please e-mail alert () eEye com for | permission. | | Disclaimer | The information within this paper may change without notice. Use of this | information constitutes acceptance for use in an AS IS condition. There | are | NO warranties with regard to this information. In no event shall the | author | be liable for any damages whatsoever arising out of or in connection with | the use or spread of this information. Any use of this information is at | the | user's own risk. | | Feedback | Please send suggestions, updates, and comments to: | | eEye Digital Security | http://www.eEye.com | info () eEye com | | _______________________________________________ | Full-Disclosure - We believe in it. | Charter: http://lists.netsys.com/full-disclosure-charter.html | | | | | | | ----------------------------------------- | The information transmitted is intended only for the person or entity | to which it is addressed and may contain confidential and/or | privileged material. Any review, retransmission, dissemination or | other use of, or taking of any action in reliance upon, this | information by persons or entities other than the intended recipient | is prohibited. If you received this in error, please contact the | sender and delete the material from any computer. | | _______________________________________________ | Full-Disclosure - We believe in it. | Charter: http://lists.netsys.com/full-disclosure-charter.html | _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- EEYE: Microsoft RPC Heap Corruption Vulnerability - Part II Marc Maiffret (Sep 10)
- <Possible follow-ups>
- Re: EEYE: Microsoft RPC Heap Corruption Vulnerability - Part II Jeff . Urnaza (Sep 10)
- RE: EEYE: Microsoft RPC Heap Corruption Vulnerability - Part II Chris DeVoney (Sep 10)
- MS03-039 - Exploit ... Elv1S (Sep 10)
- MS03-039 - Exploit ... Elv1S (Sep 10)
- RE: EEYE: Microsoft RPC Heap Corruption Vulnerability - Part II Marc Maiffret (Sep 10)
- RE: EEYE: Microsoft RPC Heap Corruption Vulnerability - Part II Chris DeVoney (Sep 10)
- RE: EEYE: Microsoft RPC Heap Corruption Vulnerability - Part II Jeff . Urnaza (Sep 10)