SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Microsoft)  >   Rpc Vendors:   Microsoft
Microsoft Windows RCP Memory Leak Lets Remote Users Deny Service
SecurityTracker Alert ID:  1009758
SecurityTracker URL:  http://securitytracker.com/id/1009758
CVE Reference:   CVE-2004-0116   (Links to External Site)
Date:  Apr 13 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A memory leak vulnerability was reported in Microsoft Windows in the processing of DCOM RPC requests. A remote user can cause denial of service conditions on the target system.

eEye Digital Security reported that a remote user can supply a specially crafted size parameter to cause the target service to consume all available memory and become unavailable.

The flaw reportedly resides within 'rpcss.dll' and is due to the lack of validation of a user-supplied DWORD length field. A remote user can reportedly select a size value that is larger than the available memory pool to trigger an exeception. As a result, allocated memory will not be freed.

The vulnerability is separate from the vulnerabilities described in Microsoft Security Bulletins MS03-026 and MS03-039.

The vendor was reportedly notified on September 10, 2003.

Impact:   A remote user can consume all available memory on the target system.
Solution:   The vendor has released a fix as part of the MS04-012 cumulative patch.

The following updates are available:

Microsoft Windows NT Workstation 4.0 Service Pack 6a:

http://www.microsoft.com/downloads/details.aspx?FamilyId=4ACB5BD6-A0BF-40BC-8955-D833923642EF&displaylang=en

Microsoft Windows NT Server 4.0 Service Pack 6a:

http://www.microsoft.com/downloads/details.aspx?FamilyId=D4F2AD32-FE74-4DA1-AEAE-80897AC86720&displaylang=en

Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=5B29E35D-E5DA-4486-B7EB-D54C7398142C&displaylang=en

Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, and Microsoft Windows 2000 Service Pack 4:

http://www.microsoft.com/downloads/details.aspx?FamilyId=FBD38C36-D1D3-47A2-A5D5-6C8F27FDCC40&displaylang=en

Microsoft Windows XP and Microsoft Windows XP Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?FamilyId=D488BBBB-DA77-448D-8FF0-0A649A0D8FC3&displaylang=en

Microsoft Windows XP 64-Bit Edition Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?FamilyId=4C3ED21D-FF40-4C9D-99DD-1632E43C1645&displaylang=en

Microsoft Windows XP 64-Bit Edition Version 2003:

http://www.microsoft.com/downloads/details.aspx?FamilyId=75A08528-5E99-4BE0-8E97-F1C9789611EB&displaylang=en

Microsoft Windows Server 2003:

http://www.microsoft.com/downloads/details.aspx?FamilyId=07317CE9-520D-4574-B575-5FB85DA9A4D7&displaylang=en

Microsoft Windows Server 2003 64-Bit Edition:

http://www.microsoft.com/downloads/details.aspx?FamilyId=75A08528-5E99-4BE0-8E97-F1C9789611EB&displaylang=en

For Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE) and Microsoft Windows Millennium Edition (ME), the vendor indicates that you should read the FAQ section of this bulletin for details about these operating systems

Vendor URL:  www.microsoft.com/technet/security/bulletin/ms04-012.mspx (Links to External Site)
Cause:   Input validation error, Resource error

Message History:   None.


 Source Message Contents

Subject:  http://www.eeye.com/html/Research/Advisories/AD20040413A.html


http://www.eeye.com/html/Research/Advisories/AD20040413A.html

Microsoft DCOM RPC Memory Leak

Release Date:
April 13, 2004

Date Reported:
September 10, 2003

Severity:
High (Remote Code Execution)

Vendor:
Microsoft

Systems Affected:
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Server 4.0
Microsoft Windows NT Server 4.0, Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003

Description:
eEye Digital Security has discovered a critical remote vulnerability in the way Microsoft 
Windows handles DCOM RPC requests. This vulnerability is a separate issue from 
vulnerabilities described in Microsoft Security Bulletins MS03-026 and MS03-039.

The RPC (Remote Procedure Call) protocol provides an inter-process communication mechanism 
allowing a program running on one computer to execute code on a remote system. Distributed 
COM (DCOM) extends the usability of COM to support COM communication across a network with 
other computers. The DCOM RPC interface in charge of processing incoming RPC based DCOM 
activation requests has been prone to failure in the past. An issue in the DCOM interface 
dealing with direct memory allocation from a user supplied size can be exploited remotely 
to exhaust all available memory on a targeted machine, rendering it inoperable.

Technical Description:
After the DCOM activation request is unmarshalled it is passed off to the Activation class 
of functions within the rpcss.dll. A routine dealing with the class allocates a size 
specified in a length field within the request packet. This DWORD length field is not 
validated before allocation so any size can be chosen by the client issuing the activation 
request. Normally this buffer is released after the activation request as completed. If we 
choose an abnormally large size, one that is larger than the memory pool of the source 
buffer, we can cause an exception when the page boundary is hit. Like most exception 
handlers, no cleanup is performed due to the unpredictable nature of the exception.

An attacker can exhaust all available memory on the remote machine within seconds, 
rendering it extremely unstable, if not totally inoperable.

Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is available at: 
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx.

Credit:
Discovery: Riley Hassell
Additional Research: Riley Hassell and Barnaby Jack

Related Links:
Retina Network Security Scanner - Free 15 Day Trial 
http://www.eeye.com/html/Products/Retina/download.html

Greetings:
Gellanie and the Worlds Anthem, Marc Tobias, Jack Kozoil and authors from Shellcoders 
Handbook.

Copyright (c) 1998-2004 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is 
not to be edited in any way without express consent of eEye. If you wish to reprint the 
whole or any part of this alert in any other medium excluding electronic medium, please 
email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this information 
constitutes acceptance for use in an AS IS condition. There are no warranties, implied or 
express, with regard to this information. In no event shall the author be liable for any 
direct or indirect damages whatsoever arising out of or in connection with the use or 
spread of this information. Any use of this information is at the user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info@eEye.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC