[Full-disclosure] TPTI-08-07: Microsoft Windows Message Queuing Service Heap Overflow and Memory Disclosure Vulnerability



TPTI-08-07: Microsoft Windows Message Queuing Service Heap Overflow and
Memory Disclosure Vulnerability
http://dvlabs.tippingpoint.com/advisory/TPTI-08-07
October 14, 2008

-- CVE ID:
CVE-2008-3479

-- Affected Vendors:
Microsoft

-- Affected Products:
Microsoft OS

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 6482.
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Windows running the Message
Queuing service (mqsvc.exe). User interaction is not required to
exploit this vulnerability.

The specific flaw exists in the parsing of an RPC request to the Message
Queing Service (mqsvc.exe). By sending a specially crafted RPC request
a heap calculation can be controlled and later overflowed during an
unchecked string copy operation. By sending a similar request memory
can be disclosed to the attacker. Exploitation of the heap overflow
leads to full access of the affected system under the SYSTEM context.

-- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More
details can be found at:

http://www.microsoft.com/technet/security/bulletin/MS08-065.mspx

-- Disclosure Timeline:
2007-11-14 - Vulnerability reported to vendor
2008-10-14 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Cody Pierce, TippingPoint DVLabs

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: Using 0days as part of pen-test?
    ... the client the option to determine how the vendor gets notified. ... vulnerability information you discover during ... The legal issue isn't the disclosure process, you can act as "legal entity" ... security threats until the vendor release a patch. ...
    (Pen-Test)
  • [Full-disclosure] CORELAN-10-035 NolaPro Enterprise multiple vulnerabilities
    ... Vendor: Noguska LLC ... SQL Injection, Cross-Site Scripting, Information Disclosure ... Vulnerability discovered by: ekse ...
    (Full-Disclosure)
  • Re: Call to arms - INFORMATION ANARCHY
    ... Its one thing to prove to a Vendor they have a problem in their code. ... and its not resolved by keeping "Full Disclosure" alive. ... the Vendor for a vulnerability without accepting responsibility for your ... feed the feature versus security mentality of many Vendors. ...
    (NT-Bugtraq)
  • Re: Call to arms - INFORMATION ANARCHY
    ... Its one thing to prove to a Vendor they have a problem in their code. ... and its not resolved by keeping "Full Disclosure" alive. ... > the Vendor for a vulnerability without accepting responsibility for your ... > feed the feature versus security mentality of many Vendors. ...
    (NT-Bugtraq)
  • [Full-disclosure] Survey: "MIME/Content-Type-Sniffing" Issues in Image Uploads in Forum
    ... opening XSS vulnerabilities in software that allows uploads. ... IN a survey, we found myBB, fluxBB, phorum, SMF and WBB to be vulnerable to ... Vendor Reaction ... leading to a cross-site-scripting vulnerability. ...
    (Full-Disclosure)