Alerts
Alerts
Zero-Day Tracker
Common Name:
RPC Memory Exhaustion
Date Disclosed:
11/16/2005
Expected Patch Release:
Unknown - No Vendor Response
Vendor:
Microsoft
Application:
Windows 2000 SP4 (anonymous)
Other Operating Systems are being researched.
Description:
The three referenced exploits take advantage of an inherent problem in RPC, in which an attacker gets to supply the size of an output buffer, and RPC allocates the buffer and (more importantly) initializes it to zeroes, which causes the entire memory range to become committed. For huge output buffers, the target service (which is given all the virtual memory it wants, due to its privileges) will cause virtual memory exhaustion, in the worst cases resulting in page file thrashing, a "low virtual memory" message, and general system unresponsiveness.
For the UPNP service, the vulnerable function is PNP_GetDeviceList(), which is available over the RPC endpoint for the UPNP (8D9F4E40-A03D-11CE-8F69-08003E30051B) in opnum 0x0A. The MIDL for the vulnerable opnum is:
long PNP_GetDeviceList (
[in][unique][string] wchar_t * arg_1,
[out][size_is(*arg_3)][length_is(*arg_3)] wchar_t * arg_3, //vulnerable argument
[in, out] long * arg_3, //vulnerable argument
[in] long arg_4
);
Regarding the Print Spooler service, the vulnerable function is GetPrinterData(), which is available over the RPC endpoint for the SPOOLSS (12345678-1234-abcd-ef00-0123456789ab) in opnum 0x1A. The MIDL for the vulnerable opnum is:
long RpcGetPrinterData (
[in][context_handle] void * arg_1,
[in][string] wchar_t * arg_2,
[out] long * arg_3,
[out][size_is(arg_5)] char * arg_4, //vulnerable argument
[in] long arg_5, //vulnerable argument
[out] long * arg_6
);
NOTE: Because the vulnerability is inherent within RPC and not these specific services, it is likely that other services are also "vulnerable" to the same exploitation.
Severity:
Low
Code Execution:
No
Impact:
Denial of Service / Virtual Memory Exhaustion
This vulnerability does not allow for the execution of code, but can cause virtual memory exhaustion, in the worst cases resulting in page file thrashing, a "low virtual memory" message, and general system unresponsiveness. On Windows 2000 and Windows XP prior to Service Pack 2 (if found to be vulnerable), this is available to anonymous attackers. Within Windows XP Service Pack 2 and Windows Server 2003, this is only available to authenticated users.
Mitigation:
Disable the Print Spooler / Universal Plug and Play services on hosts that do not need the services running.
For hosts that do need the Print Spooler service running, disable anonymous connections to the service via the registry. Of course, users should always backup their registry prior to modification.
Edit: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes and remove 'SPOOLSS' from the registry key.
This will allow for only authenticated access to the Print Spooler service, disabling the vector for anonymous attack.
Protection:
First Public PoC Code Disclosure - UPNP (Denial of Service)
Second Public PoC Code Disclosure - SPOOLSS (Denial of Service)
Third Public PoC Code Disclosure - Workstation Service (Denial of Service)
Status:
11/16/2005 - Proof of Concept Released
This exploit attacks the Universal Plug and Play service (UPNP) and causes a virtual memory exhaustion on the targeted host.
12/01/2006 - Second Proof of Concept Released
This exploit attacks the Print Spooler service (SPOOLSS), but is inherently attacking the same RPC memory vulnerability as the first proof of concept.
12/25/2006 - Third Proof of Concept Released
This exploit attacks the Workstation service, but is inherently attacking the same RPC memory vulnerability as the first and second proofs of concept.
Common Name:
RPC Memory Exhaustion
Date Disclosed:
11/16/2005
Expected Patch Release:
Unknown - No Vendor Response
Vendor:
Microsoft
Application:
Windows 2000 SP4 (anonymous)
Other Operating Systems are being researched.
Description:
The three referenced exploits take advantage of an inherent problem in RPC, in which an attacker gets to supply the size of an output buffer, and RPC allocates the buffer and (more importantly) initializes it to zeroes, which causes the entire memory range to become committed. For huge output buffers, the target service (which is given all the virtual memory it wants, due to its privileges) will cause virtual memory exhaustion, in the worst cases resulting in page file thrashing, a "low virtual memory" message, and general system unresponsiveness.
For the UPNP service, the vulnerable function is PNP_GetDeviceList(), which is available over the RPC endpoint for the UPNP (8D9F4E40-A03D-11CE-8F69-08003E30051B) in opnum 0x0A. The MIDL for the vulnerable opnum is:
long PNP_GetDeviceList (
[in][unique][string] wchar_t * arg_1,
[out][size_is(*arg_3)][length_is(*arg_3)] wchar_t * arg_3, //vulnerable argument
[in, out] long * arg_3, //vulnerable argument
[in] long arg_4
);
Regarding the Print Spooler service, the vulnerable function is GetPrinterData(), which is available over the RPC endpoint for the SPOOLSS (12345678-1234-abcd-ef00-0123456789ab) in opnum 0x1A. The MIDL for the vulnerable opnum is:
long RpcGetPrinterData (
[in][context_handle] void * arg_1,
[in][string] wchar_t * arg_2,
[out] long * arg_3,
[out][size_is(arg_5)] char * arg_4, //vulnerable argument
[in] long arg_5, //vulnerable argument
[out] long * arg_6
);
NOTE: Because the vulnerability is inherent within RPC and not these specific services, it is likely that other services are also "vulnerable" to the same exploitation.
Severity:
Low
Code Execution:
No
Impact:
Denial of Service / Virtual Memory Exhaustion
This vulnerability does not allow for the execution of code, but can cause virtual memory exhaustion, in the worst cases resulting in page file thrashing, a "low virtual memory" message, and general system unresponsiveness. On Windows 2000 and Windows XP prior to Service Pack 2 (if found to be vulnerable), this is available to anonymous attackers. Within Windows XP Service Pack 2 and Windows Server 2003, this is only available to authenticated users.
Mitigation:
Disable the Print Spooler / Universal Plug and Play services on hosts that do not need the services running.
For hosts that do need the Print Spooler service running, disable anonymous connections to the service via the registry. Of course, users should always backup their registry prior to modification.
Edit: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes and remove 'SPOOLSS' from the registry key.
This will allow for only authenticated access to the Print Spooler service, disabling the vector for anonymous attack.
Protection:
- eEye's Retina® Network Security Scanner scans devices to detect for this vulnerability.
First Public PoC Code Disclosure - UPNP (Denial of Service)
Second Public PoC Code Disclosure - SPOOLSS (Denial of Service)
Third Public PoC Code Disclosure - Workstation Service (Denial of Service)
Status:
11/16/2005 - Proof of Concept Released
This exploit attacks the Universal Plug and Play service (UPNP) and causes a virtual memory exhaustion on the targeted host.
12/01/2006 - Second Proof of Concept Released
This exploit attacks the Print Spooler service (SPOOLSS), but is inherently attacking the same RPC memory vulnerability as the first proof of concept.
12/25/2006 - Third Proof of Concept Released
This exploit attacks the Workstation service, but is inherently attacking the same RPC memory vulnerability as the first and second proofs of concept.
