Microsoft Windows LPC heap overflow
AppSecInc Team SHATTER Security Advisory
http://www.appsecinc.com/resources/alerts/general/07-0001.html
January 10, 2005
Credit: This vulnerability was discovered and researched by Cesar
Cerrudo of Application Security, Inc.
Risk Level: High
Summary:
A local privilege elevation vulnerability exists on the Windows
operating systems. This vulnerability allows any user to take complete
control over the system and affects Windows NT, Windows 2000, Windows
XP, and Windows 2003 (all service packs).
Versions Affected:
Microsoft Windows NT, Windows 2000, Windows XP, and Windows 2003 (all
service packs).
Details:
The LPC (Local Procedure Call) mechanism is a type of interprocess
communication used by the Windows operating systems. LPC is used to
communicate between processes running on the same system while RPC
(Remote Procedure Call) is used to communicate between processes on
remote systems.
When a client process communicates with a server using LPC, the kernel
fails to check that the server process has allocated enough memory
before copying data sent by the client process. The native API used to
connect to the LPC port is NtConnectPort. A parameter of the
NtConnectPort API allows a buffer of up 260 bytes. When using this
function the buffer is copied by the kernel from the client process to
the server process memory ignoring the buffer size restriction which the
server process set when calling NtCreatePort (the native API used to
create LPC ports). This causes a heap corruption in the server process
allowing arbitrary memory to be overwritten and can lead to arbitrary
code execution.
Workaround:
None.
Fix:
http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx
Application Security, Inc.
www.appsecinc.com
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html