[VulnWatch] [AppSecInc Team SHATTER Security Advisory] Microsoft Windows LPC heap overflow

From: Team SHATTER (Application Security, Inc.) (vrathod_at_appsecinc.com)
Date: 01/10/05

  • Next message: Cesar: "[VulnWatch] Windows Improper Token Validation -Exploit-"
    Date: Mon, 10 Jan 2005 17:12:24 -0500
    To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org, ntbugtraq@listserv.ntbugtraq.com
    
    

    Microsoft Windows LPC heap overflow

    AppSecInc Team SHATTER Security Advisory
    http://www.appsecinc.com/resources/alerts/general/07-0001.html
    January 10, 2005

    Credit: This vulnerability was discovered and researched by Cesar
    Cerrudo of Application Security, Inc.

    Risk Level: High

    Summary:
    A local privilege elevation vulnerability exists on the Windows
    operating systems. This vulnerability allows any user to take complete
    control over the system and affects Windows NT, Windows 2000, Windows
    XP, and Windows 2003 (all service packs).

    Versions Affected:
    Microsoft Windows NT, Windows 2000, Windows XP, and Windows 2003 (all
    service packs).

    Details:
    The LPC (Local Procedure Call) mechanism is a type of interprocess
    communication used by the Windows operating systems. LPC is used to
    communicate between processes running on the same system while RPC
    (Remote Procedure Call) is used to communicate between processes on
    remote systems.

    When a client process communicates with a server using LPC, the kernel
    fails to check that the server process has allocated enough memory
    before copying data sent by the client process. The native API used to
    connect to the LPC port is NtConnectPort. A parameter of the
    NtConnectPort API allows a buffer of up 260 bytes. When using this
    function the buffer is copied by the kernel from the client process to
    the server process memory ignoring the buffer size restriction which the
    server process set when calling NtCreatePort (the native API used to
    create LPC ports). This causes a heap corruption in the server process
    allowing arbitrary memory to be overwritten and can lead to arbitrary
    code execution.

    Workaround:
    None.

    Fix:
    http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx

    ----------------------------------------------------------------------
    Application Security, Inc.
    www.appsecinc.com
     
    AppSecInc is the leading provider of database security solutions for
    the enterprise. AppSecInc products proactively secure enterprise
    applications at more than 200 organizations around the world by
    discovering, assessing, and protecting the database against rapidly
    changing security threats. By securing data at its source, we enable
    organizations to more confidently extend their business with
    customers, partners and suppliers. Our security experts, combined
    with our strong support team, deliver up-to-date application
    safeguards that minimize risk and eliminate its impact on business.
    ----------------------------------------------------------------------


  • Next message: Cesar: "[VulnWatch] Windows Improper Token Validation -Exploit-"

    Relevant Pages

    • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
      ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
      (Securiteam)
    • [NT] Vulnerability in HTML Help Allows Code Execution (MS05-001)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ...
      (Securiteam)
    • Re: The Myth of the secure Mac
      ... OEM Windows XP Home goes for a bit under $100. ... >> secure than Home. ... Though this really has nothing to do with security. ... Microsoft counts on third-party developers to provide more ...
      (comp.sys.mac.advocacy)
    • SecurityFocus Microsoft Newsletter # 149
      ... MICROSOFT VULNERABILITY SUMMARY ... EveryBuddy Long Message Denial Of Service Vulnerability ... Intellitactics Network Security Manager ... Windows operating systems. ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #120
      ... Strengthening Network Security: FREE Guide Network security is a ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows File Protection Signed File Replacement... ... PlatinumFTPServer Information Disclosure Vulnerability ...
      (Focus-Microsoft)