eEye Digital Security
  • Login to the eEye Business Client Portal
  • Shop for eEye Products
  • Read the eEye Blog
  • Subscribe to eEye RSS Feeds
  • Follow eEye on Twitter
  • Follow eEye of Facebook
Resources

Research > Zero-Day Tracker > 20051116

RPC Memory Exhaustion

Date Disclosed:
11/16/2005

Date Patched:
Patch Not Yet Available

Vendor:
Microsoft

Affected Software:
Windows 2000 SP4 (anonymous)
Other Operating Systems are being researched.

Description:
The three referenced exploits take advantage of an inherent problem in RPC, in which an attacker gets to supply the size of an output buffer, and RPC allocates the buffer and (more importantly) initializes it to zeroes, which causes the entire memory range to become committed. For huge output buffers, the target service (which is given all the virtual memory it wants, due to its privileges) will cause virtual memory exhaustion, in the worst cases resulting in page file thrashing, a "low virtual memory" message, and general system unresponsiveness.

For the UPNP service, the vulnerable function is PNP_GetDeviceList(), which is available over the RPC endpoint for the UPNP (8D9F4E40-A03D-11CE-8F69-08003E30051B) in opnum 0x0A. The MIDL for the vulnerable opnum is:
long PNP_GetDeviceList (
[in][unique][string] wchar_t * arg_1,
[out][size_is(*arg_3)][length_is(*arg_3)] wchar_t * arg_3, //vulnerable argument
[in, out] long * arg_3, //vulnerable argument
[in] long arg_4
);

Regarding the Print Spooler service, the vulnerable function is GetPrinterData(), which is available over the RPC endpoint for the SPOOLSS (12345678-1234-abcd-ef00-0123456789ab) in opnum 0x1A. The MIDL for the vulnerable opnum is:
long RpcGetPrinterData (
[in][context_handle] void * arg_1,
[in][string] wchar_t * arg_2,
[out] long * arg_3,
[out][size_is(arg_5)] char * arg_4, //vulnerable argument
[in] long arg_5, //vulnerable argument
[out] long * arg_6
);

NOTE: Because the vulnerability is inherent within RPC and not these specific services, it is likely that other services are also "vulnerable" to the same exploitation.

Severity:
Low

Code Execution:
No

Impact:
Denial of Service / Virtual Memory Exhaustion
This vulnerability does not allow for the execution of code, but can cause virtual memory exhaustion, in the worst cases resulting in page file thrashing, a "low virtual memory" message, and general system unresponsiveness. On Windows 2000 and Windows XP prior to Service Pack 2 (if found to be vulnerable), this is available to anonymous attackers. Within Windows XP Service Pack 2 and Windows Server 2003, this is only available to authenticated users.

Mitigation:
Disable the Print Spooler / Universal Plug and Play services on hosts that do not need the services running.

For hosts that do need the Print Spooler service running, disable anonymous connections to the service via the registry. Of course, users should always backup their registry prior to modification.
Edit: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes and remove 'SPOOLSS' from the registry key.
This will allow for only authenticated access to the Print Spooler service, disabling the vector for anonymous attack.

Protection:
eEye's Retina® Network Security Scanner scans devices to detect for this vulnerability.

First Public PoC Code Disclosure - UPNP (Denial of Service)
Second Public PoC Code Disclosure - SPOOLSS (Denial of Service)
Third Public PoC Code Disclosure - Workstation Service (Denial of Service)

Links:

Status:
11/16/2005 - Proof of Concept Released
This exploit attacks the Universal Plug and Play service (UPNP) and causes a virtual memory exhaustion on the targeted host.

12/01/2006 - Second Proof of Concept Released
This exploit attacks the Print Spooler service (SPOOLSS), but is inherently attacking the same RPC memory vulnerability as the first proof of concept.

12/25/2006 - Third Proof of Concept Released
This exploit attacks the Workstation service, but is inherently attacking the same RPC memory vulnerability as the first and second proofs of concept.

Copyright ©1998-2011 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Next Steps

Free Trial
Test drive an eEye product
On-demand Demo
See an online product tour
One-on-one Demo
Schedule a personalized tour
Compare Products
See side-by-side features
Buy Now
Go to eEye product store
Contact | Site Map | Privacy | Website Feedback | 1.866.339.3732
© 1998 – 2011 eEye Digital Security. All rights reserved.