[VulnWatch] BindView Advisory: Memory Leak and DoS in NT4 RPC server

From: advisory (advisory_at_bos.bindview.com)
Date: 10/13/04

  • Next message: R00tCr4ck: "[VulnWatch] Multiple Vulnerabilities in CoolPHP"
    Date: Tue, 12 Oct 2004 23:59:53 -0400 (EDT)
    To: vulnwatch@vulnwatch.org
    
    

    BindView Security Advisory
    --------
                                                                                    
    Remote anonymous attackers can read large amounts of memory from and/or
    crash any NT4 RPC server
                                                                                    
    Issue Date: 12Oct2004
    Contact: loveless@bindview.com
    Author: Todd Sabin
                                                                                    
                                                                                    
    Topic:
    A flaw in rpc__mgmt_inq_stats allows attackers to retrieve memory from and
    crash NT4 RPC servers.
                                                                                    
                                                                                    
    Overview:
                                                                                    
    Due to a flaw in the implementation of a standard RPC interface,
    attackers can retrieve large amounts of the memory from the address
    space of NT4 RPC servers. In addition to retrieving memory, it is
    possible to crash any NT4 RPC server by asking for extremely large
    amounts of memory, the RPC server will attempt to read from
    inaccessible parts of memory, causing an exception, and the
    termination of the RPC server.
                                                                                    
                                                                                    
    Affected Systems:
    All NT4 systems running RPC servers
                                                                                    
                                                                                    
    Impact:
                                                                                    
    Anonymous attackers can crash any RPC server. This includes the SAM
    and LSA, the main RPC service, the Server service, etc. Many
    applications are also based on RPC or support it, including Exchange
    and SQL Server.
                                                                                    
    In addition to crashing servers, an attacker can read large amounts of
    memory from the address space of the servers. Depending on the
    server, this may result in the disclosure of sensitive information.
    For example, during testing against the LSA of an NT4 domain
    controller, the Administrator's password hash was retrieved.
                                                                                    
                                                                                    
    Details:
                                                                                    
    As per the guidelines as set forth in the Organization for Internet
    Safety, BindView will not be releasing technical details about this flaw
    for 30 days. See http://www.oisafety.org/ for more details on these
    guidelines.

    Workarounds:
    None known
                                                                                    
                                                                                    
    Recommendations:
    Install the patch from Microsoft.
    http://www.microsoft.com/technet/security/bulletin/ms04-029.mspx

    References:
                                                                                    
     CVE Name: CAN-2004-0569
                                                                                    
     The mgmt interface.
     http://www.opengroup.org/onlinepubs/9629399/apdxq.htm
                                                                                    


  • Next message: R00tCr4ck: "[VulnWatch] Multiple Vulnerabilities in CoolPHP"

    Relevant Pages