Microsoft Windows RCP Memory Leak Lets Remote Users Deny Service
SecurityTracker Alert ID: 1009758|
SecurityTracker URL: http://securitytracker.com/id/1009758
(Links to External Site)
Date: Apr 13 2004
Denial of service via network|
Fix Available: Yes Vendor Confirmed: Yes |
A memory leak vulnerability was reported in Microsoft Windows in the processing of DCOM RPC requests. A remote user can cause denial of service conditions on the target system.|
eEye Digital Security reported that a remote user can supply a specially crafted size parameter to cause the target service to consume all available memory and become unavailable.
The flaw reportedly resides within 'rpcss.dll' and is due to the lack of validation of a user-supplied DWORD length field. A remote user can reportedly select a size value that is larger than the available memory pool to trigger an exeception. As a result, allocated memory will not be freed.
The vulnerability is separate from the vulnerabilities described in Microsoft Security Bulletins MS03-026 and MS03-039.
The vendor was reportedly notified on September 10, 2003.
A remote user can consume all available memory on the target system.|
The vendor has released a fix as part of the MS04-012 cumulative patch.|
The following updates are available:
Microsoft Windows NT Workstation 4.0 Service Pack 6a:
Microsoft Windows NT Server 4.0 Service Pack 6a:
Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6:
Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, and Microsoft Windows 2000 Service Pack 4:
Microsoft Windows XP and Microsoft Windows XP Service Pack 1:
Microsoft Windows XP 64-Bit Edition Service Pack 1:
Microsoft Windows XP 64-Bit Edition Version 2003:
Microsoft Windows Server 2003:
Microsoft Windows Server 2003 64-Bit Edition:
For Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE) and Microsoft Windows Millennium Edition (ME), the vendor indicates that you should read the FAQ section of this bulletin for details about these operating systems
Vendor URL: www.microsoft.com/technet/security/bulletin/ms04-012.mspx (Links to External Site)
Input validation error, Resource error|
Source Message Contents
Microsoft DCOM RPC Memory Leak
April 13, 2004
September 10, 2003
High (Remote Code Execution)
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Server 4.0
Microsoft Windows NT Server 4.0, Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
eEye Digital Security has discovered a critical remote vulnerability in the way Microsoft
Windows handles DCOM RPC requests. This vulnerability is a separate issue from
vulnerabilities described in Microsoft Security Bulletins MS03-026 and MS03-039.
The RPC (Remote Procedure Call) protocol provides an inter-process communication mechanism
allowing a program running on one computer to execute code on a remote system. Distributed
COM (DCOM) extends the usability of COM to support COM communication across a network with
other computers. The DCOM RPC interface in charge of processing incoming RPC based DCOM
activation requests has been prone to failure in the past. An issue in the DCOM interface
dealing with direct memory allocation from a user supplied size can be exploited remotely
to exhaust all available memory on a targeted machine, rendering it inoperable.
After the DCOM activation request is unmarshalled it is passed off to the Activation class
of functions within the rpcss.dll. A routine dealing with the class allocates a size
specified in a length field within the request packet. This DWORD length field is not
validated before allocation so any size can be chosen by the client issuing the activation
request. Normally this buffer is released after the activation request as completed. If we
choose an abnormally large size, one that is larger than the memory pool of the source
buffer, we can cause an exception when the page boundary is hit. Like most exception
handlers, no cleanup is performed due to the unpredictable nature of the exception.
An attacker can exhaust all available memory on the remote machine within seconds,
rendering it extremely unstable, if not totally inoperable.
Retina Network Security Scanner has been updated to identify this vulnerability.
Microsoft has released a patch for this vulnerability. The patch is available at:
Discovery: Riley Hassell
Additional Research: Riley Hassell and Barnaby Jack
Retina Network Security Scanner - Free 15 Day Trial
Gellanie and the Worlds Anthem, Marc Tobias, Jack Kozoil and authors from Shellcoders
Copyright (c) 1998-2004 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is
not to be edited in any way without express consent of eEye. If you wish to reprint the
whole or any part of this alert in any other medium excluding electronic medium, please
email alert@eEye.com for permission.
The information within this paper may change without notice. Use of this information
constitutes acceptance for use in an AS IS condition. There are no warranties, implied or
express, with regard to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's own risk.
Please send suggestions, updates, and comments to:
eEye Digital Security