Wednesday, 16 November 2005

RPC Memory Exhaustion

Vendor:: Microsoft
Application:: Windows
Disclosed:: 16-11-05
Description:: Three referenced exploits take advantage of an inherent problem in RPC, in which an attacker gets to supply the size of an output buffer, and RPC allocates the buffer and (more importantly) initializes it to zeroes, which causes the entire memory range to become committed. For huge output buffers, the target service (which is given all the virtual memory it wants, due to its privileges) will cause virtual memory exhaustion, in the worst cases resulting in page file thrashing, a "low virtual memory" message, and general system unresponsiveness.

For the UPNP service, the vulnerable function is PNP_GetDeviceList(), which is available over the RPC endpoint for the UPNP (8D9F4E40-A03D-11CE-8F69-08003E30051B) in opnum 0x0A. The MIDL for the vulnerable opnum is:
long PNP_GetDeviceList (
[in][unique][string] wchar_t * arg_1,
[out][size_is(*arg_3)][length_is(*arg_3)] wchar_t * arg_3, //vulnerable argument
[in, out] long * arg_3, //vulnerable argument
[in] long arg_4
);
Regarding the Print Spooler service, the vulnerable function is GetPrinterData(), which is available over the RPC endpoint for the SPOOLSS (12345678-1234-abcd-ef00-0123456789ab) in opnum 0x1A. The MIDL for the vulnerable opnum is:
long RpcGetPrinterData (
[in][context_handle] void * arg_1,
[in][string] wchar_t * arg_2,
[out] long * arg_3,
[out][size_is(arg_5)] char * arg_4, //vulnerable argument
[in] long arg_5, //vulnerable argument
[out] long * arg_6
);

Exploit:: Denial of Service / Virtual Memory Exhaustion
C:\>python spoolss_dos.py 192.168.0.2 512

[*] MS Windows GetPrinterData() 0day Memory Allocation Remote DoS Exploit
[*] Coded by h07
[*] Connecting to 192.168.0.2:445
[+] Connected
[+] The NETBIOS connection with the remote host timed out.
[+] 192.168.0.2: Out of memory
[+] Done
Exploit --> GetPrinterData(handle, value, 1024 * 1024 * 512) --> MS_Windows
Spooler service(spoolsv.exe) memory usage: 512 MB

This vulnerability does not allow for the execution of code, but can cause virtual memory exhaustion, in the worst cases resulting in page file thrashing, a "low virtual memory" message, and general system unresponsiveness. On Windows 2000 and Windows XP prior to Service Pack 2 (if found to be vulnerable), this is available to anonymous attackers. Within Windows XP Service Pack 2 and Windows Server 2003, this is only available to authenticated users.
Prevention:: Disable the Print Spooler / Universal Plug and Play services on hosts that do not need the services running.
Or disable anonymous connections to the service via the registry:: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes and remove 'SPOOLSS' from the registry key.
This will allow for only authenticated access to the Print Spooler service, disabling the vector for anonymous attack.
Links::
First Public PoC Code Disclosure - UPNP (Denial of Service)
Second Public PoC Code Disclosure - SPOOLSS (Denial of Service)
Third Public PoC Code Disclosure - Workstation Service (Denial of Service)

No comments: