Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Windows XP SP3 - DCERPC Changes

From: H D Moore <fdlist () digitaloffense net>
Date: Wed, 19 Dec 2007 22:30:31 -0600
Changes between DCERPC services on XP SP2 and XP SP3 (release candidate)
This is from a quick and dirty unmidl.py + diff(3) session[1]
Results do not include new services bundled with SP3.
Results are likely incomplete.
Verify this with mIDA.
Happy holidays.
Thanks Dave
For UNMIDL
Cheers,

-HD

--

dhcpcsvc.dll - DHCP Client RPC Service
[ uuid(3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5), version(1.0) ]

        New operations added:

        long  Function_0c( 
                [in] [unique]  [string] wchar_t * element_67,
                [in]  long  element_68,
                [in]  [string] wchar_t *  element_69,
                [in] [unique]  TYPE_1 ** element_70,
                [in] [unique]  TYPE_6 ** element_71,
                [out]  long * element_80
         );

        long  Function_0d( 
                [in] [unique]  [string] wchar_t * element_82,
                [in]  [string] wchar_t *  element_83,
                [in] [unique]  TYPE_1 ** element_84,
                [in,out]  TYPE_6 * element_85
         );

        long  Function_0e( 
                [in] [unique]  [string] wchar_t * element_87,
                [in]  long  element_88,
                [out] [ref] [unique]  [string] wchar_t ** element_89
         );

        long  Function_0f( 
                [in] [unique]  [string] wchar_t * element_91,
                [in]  long  element_92,
                [in]  [string] wchar_t *  element_93
         );

        long  Function_10( 
                [in] [unique]  [string] wchar_t * element_95,
                [in]  [string] wchar_t *  element_96,
                [out]  TYPE_8 * element_97
         );

        long  Function_11( 
                [in] [unique]  [string] wchar_t * element_107,
                [size_is(*element_110)] [out] [ref] [unique]  long ** element_109,
                [out]  long * element_110
         );


lsasrv.dll - LSARPC
[ uuid(12345778-1234-abcd-ef00-0123456789ab), version(0.0) ]

        New operations added:

        long  Function_4f( 
                [in]  long  element_1115,
                [in] [unique]  [string] wchar_t * element_1116,
                [out] [context_handle]  void * element_1117
         );

        long  Function_50( 
                [in]  long  element_1119,
                [in,out] [context_handle]  void * element_1120
         );

        long  Function_51( 
                [in]  long  element_1122,
                [in] [context_handle]  void * element_1123,
                [in]  long  element_1124,
                [in]  TYPE_78 * element_1125,
                [in]  TYPE_70 * element_1126
         );


msdtcprx.dll - MS Distributed Transaction Controller RPC Service
[ uuid(906b0ce0-c70b-1067-b317-00dd010662da), version(1.0) ]

        Completely removed from XP SP3
        

p2psvc.dll - Peer Networking Identity Manager
[ uuid(a2d47257-12f7-4beb-8981-0ebfa935c407), version(1.0) ]

        Changes to structure definitions used by operations 5, 6, 7, and 8
        Changes to the function definitions for operations 5 and 7


scesrv.dll - Security Configuration Editor Engine
[ uuid(93149ca2-973b-11d1-8c39-00c04fb984f9), version(0.0) ]
        
        Completely removed from XP SP3
        

seclogon.dll - Secondary Logon service
[ uuid(12b81e99-f207-4a4c-85d3-77b42f76fd14), version(1.0) ]
        
        Completely removed from XP SP3


termsrv.dll - Terminal Server
[ uuid(5ca4a760-ebb1-11cf-8611-00a0245420ed), version(1.0) ]

        A range check was added to the last argument of operation 0x24
        
        char Function_24(
                [in] [context_handle]  void * element_228,
                [out]  long * element_229,
                [size_is(element_232)] [out]  char  element_230,
                [in]  [range(0,32768)] long  element_232
         );
         
        In XP SP2, this operation is defined as:
         
        char  Function_24( 
                [in] [context_handle]  void * element_228,
                [out]  long * element_229,
                [size_is(element_231)] [out]  char  element_230,
                [in]  long  element_231
         );     
         
        Since this is a size_is() field, we can assume this is an overflow check

        This operation is known as RpcWinStationEnumerateProcesses()

        Since it requires a context handle, its likely post-authentication.


wzcsvc - Wireless Configuration
[ uuid(621dff68-3c39-4c6c-aae3-e68e2c6503ad), version(1.0) ]

        New operation added:
        
        long  Function_15(
                [in] [context_handle]  void * element_207,
                [in]  TYPE_13 * element_208,
                [in,out] [ref] [unique]  TYPE_13 *** element_209
         );     


1.Used 'cabextract' to extract files from the SP2 and SP3 installers. Ran 
unmidl.py on each file from SP2, normalized element and type names, then 
compared it with the output from each file in SP3. The SP2 file set was 
probably missing some files, so there will be gaps in this data. 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: