Page 1 of 3 123 LastLast
Results 1 to 10 of 25

Thread: Another new "critical" hole in Windoze.

  1. #1
    Junior Member
    Join Date
    Dec 2002
    Posts
    12

    Another new "critical" hole in Windoze.

    Microsoft is at work again, another announcement of yet, ANOTHER security hole in their product(s). Not to mention the fact that this one is discovered in less than 2 months of the previous "hole".
    Now the question is, when will this last? May I answer that question? It will last as long as Microsoft Corp. remains to be "money friendly" rather than "user friendly". Bill Gates has to stop producing & start fixing. After all, fixing a software issue is CHEAPER than developing ANOTHER software that claims to be BETTER than its predecessor.
    *shrugs* I can rant `n rave all I want, who's going to listen? The flunkies at Microsoft? No.
    Thank God for *nx & the Mac.

    http://www.reuters.com/newsArticle.j...t&section=news

    "Many receive advice, few profit by it." - Publilius Syrus (~100 BC), Maxims

  2. #2
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    yeah, the advisory just came out a couple days ago (boy, am i gettin slow)... here it is...
    Microsoft RPC Heap Corruption Vulnerability - Part II

    Release Date:
    September 10, 2003

    Severity:
    High (Remote Code Execution)

    Systems Affected:
    Microsoft Windows NT Workstation 4.0
    Microsoft Windows NT Server 4.0
    Microsoft Windows NT Server 4.0, Terminal Server Edition
    Microsoft Windows 2000
    Microsoft Windows XP
    Microsoft Windows Server 2003

    Description:

    eEye Digital Security has discovered a critical remote vulnerability in the
    way Microsoft Windows handles certain RPC requests. The RPC (Remote
    Procedure Call) protocol provides an inter-process communication mechanism
    allowing a program running on one computer to execute code on a remote
    system.

    A vulnerability exists within the DCOM (Distributed Component Object Model)
    RPC interface. This interface handles DCOM object activation requests sent
    by client machines to the server.

    Note: this vulnerability differs from the vulnerability publicized in
    Microsoft Bulletin MS03-026.
    (http://www.microsoft.com/technet/sec...n/MS03-026.asp)
    This is a new vulnerability, and a different patch that must be installed.

    By sending a malformed request packet it is possible to overwrite various
    heap structures and allow the execution of arbitrary code.

    Technical Details:

    The vulnerability can be replicated with a DCERPC "bind" packet, followed by
    a malformed DCERPC DCOM object activation request packet. Issuing the API
    function CoGetInstanceFromFile can generate the required request. By
    manipulating the length fields within the activation packet, portions of
    heap memory can be overwritten with data which may be user-defined.

    Sending between 4 and 5 activation packets is generally sufficient to
    trigger the overwrite.

    Upon sending the sequence of packets we were able to continually cause an
    exception within the usual suspect RtlAllocateHeap:

    PAGE:77FC8F11 mov [ecx], eax
    PAGE:77FC8F13 mov [eax+4], ecx

    We control the values of the registers eax and ecx. We can write an
    arbitrary dword to any address of our choosing.

    Execution of code can be achieved through a number of means -- the
    unhandledexceptionfilter or a PEB locking pointer for instance. For this
    specific vulnerability the best route was to overwrite a pointer within the
    writeable .data section of RPCSS.DLL :

    .data:761BC254 off_761BC254 dd offset loc_761A1AE7 ; DATA XREF:
    sub_761A19EF+1C_r
    .data:761BC254 ; sub_761A19EF+11D_w
    ...
    .data:761BC258 off_761BC258 dd offset loc_761A1B18 ; DATA XREF:
    sub_761A19EF+108_w
    .data:761BC258 ; sub_761A1DCF+13_r
    ...

    At runtime these two pointers reference RtlAllocateHeap and RtlFreeHeap
    respectively. By overwriting offset 0x761BC258 with our chosen EIP value, we
    control the processor directly after the heap overwrite. The added benefit
    in choosing this pointer is we have data from our received packet at
    ebp->10h which we may modify to our liking, within reason. There is one
    small obstacle that must be overcome. The first word value at that address
    is the length field of our packet, this field must translate to an opcode
    sequence that will allow us to reach our data that follows.

    Protection:
    Retina Network Security Scanner has been updated to identify this
    vulnerability.
    http://www.eeye.com/html/Products/Retina/index.html
    Also our FREE RPC scanner tool has been updated to check for this second
    vulnerability.
    http://www.eeye.com/html/Research/Tools/RPCDCOM.html

    Vendor Status:
    Microsoft has released a patch for this vulnerability. The patch is
    available at:
    http://www.microsoft.com/technet/tre...ty/bulletin/MS
    03-039.asp

    Credit:
    Discovery: Barnaby Jack
    Additional Research: Barnaby Jack and Riley Hassell.

    Greetings:
    Thanks to Riley, and utmost respect to all of the eEye massive - masters of
    the black arts.
    Greets to all the new people I met in Vegas this year, especially the NZ
    crew, and many thanks to K2 (da bankrolla.)
    "This is my line. This is eternal." -AFI

    Copyright (c) 1998-2003 eEye Digital Security
    Permission is hereby granted for the redistribution of this alert
    electronically. It is not to be edited in any way without express consent of
    eEye. If you wish to reprint the whole or any part of this alert in any
    other medium excluding electronic medium, please e-mail alert@eEye.com for
    permission.

    Disclaimer
    The information within this paper may change without notice. Use of this
    information constitutes acceptance for use in an AS IS condition. There are
    NO warranties with regard to this information. In no event shall the author
    be liable for any damages whatsoever arising out of or in connection with
    the use or spread of this information. Any use of this information is at the
    user's own risk.

    Feedback
    Please send suggestions, updates, and comments to:

    eEye Digital Security
    http://www.eEye.com
    info@eEye.com
    yeah, I\'m gonna need that by friday...

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hey Guys,

    If you really want to get p***** off, just subscribe to the Microsoft security bulletin............you will get around 2 per week, not every two months.

    Now what really annoys me about your posts is, it seems I will have to upgrade the OS on several of my systems just to benefit from these new exploits ............only jokin!

    It is interesting that since M$ dumped its "home user line" that is 9X/Me, and consolidated everything on the NT based XP product...that is where the problems now are?

    I can remember not so long ago when I was using NT4 in the workplace, a lot of problems were not yours because they would not run on that OS

    I can remember the smug folks with Apple/Macs, not so smug now are they? or *nix........their time will come......doom, doom,doom and then a bit of gloom?

    Maybe I should upgrade my RISK box..............not many left who could write malware for that OS?

    Cheers

  4. #4
    One of my friends updated, and it caused him to not be able to log in because it couldn't find to needed files, he had to reformat.

  5. #5
    Senior Member
    Join Date
    Apr 2002
    Posts
    889
    Well I for one compare the M$ OS to a tire tube (I'm Old) and boy every release that old tube is full of patches. No wonder Paul Allen (co-founder of M$) when he left he named his company Vulcan Inc. For all you young people a Vulcanizer was another name for a person that fixes flat tires! Does Paul know what Bill was up too, and what was going to be needed to fix the OS? Yeah they issued a patch only proplem is the patch now needs a patch, not unlike the release yesterday of another way to exploit DCOMM...dah M$ answer make updates a auto install thing, so what install an patch emote that will not work? At any rate it all the M$ flaws are good they keep me employed and I have an income. So in some twisted way if their software was not so badly flawed I'd not have a job. But I really have to give it to the marketing people where I work I have a life size cutout of Bill with a much patch tire tube about his waste for each patch each year I put a band aid on the tube say there your all better Each year they give me a new release of Bill for the server room door!
    I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg

  6. #6
    Junior Member
    Join Date
    Dec 2002
    Posts
    12
    Sorry for being late, just got back from a hectic weekend..fights with my ISP for "suspending" my account for no reason & all that blah..

    thanks for the details tampabay i was in the process of looking for it when my modem suddenly went blank on me lol..as for the update, yes it DOES have flaws, i haven't done it myself, some guys i know did & their pc died with a whimper.

    *shrugs* we're being forcefed all that MS crap, after all...it does make life more interesting to look for & to fix the flaws...we all could use a good laugh once in awhile

  7. #7
    Just some information from securityfocus.com:

    Microsoft Windows Vulnerabilities: 222
    Linux Vulnerabilities: 266
    Unix Vulnerabilities: 82

    Someone posted something like "thank god for *nx", which would include linux and unix.
    266 + 82 = 348 *nix vulnerabilities compared to 222 Microsoft Windows vulnerabilites... interesting...

    -noix-

  8. #8
    BIOS Bomber
    Join Date
    Jul 2003
    Location
    Michigan
    Posts
    357
    Originally posted here by Nitro
    Just some information from securityfocus.com:

    Microsoft Windows Vulnerabilities: 222
    Linux Vulnerabilities: 266
    Unix Vulnerabilities: 82

    Someone posted something like "thank god for *nx", which would include linux and unix.
    266 + 82 = 348 *nix vulnerabilities compared to 222 Microsoft Windows vulnerabilites... interesting...

    -noix-
    Now imagine how many Windows would have if they released THIER source code?
    "When in doubt, use Brute Force."

    Never argue with an idiot. They'll drag you down to their level, then beat you with experience.

  9. #9
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    I alwasy hear people saying that windows sucks, the security is bad, *nix is far more secure. But they don't seem to understand, that if you know a lot about Windows, and not a lot about *nix, then Windows is going to be the more secure OS.

    No matter how many times I say that, people always come back and ask which is the most secure. To answer that question you must ask them a questions. "Which one are you most knowledgeable about." because thats what it comes down to with security.
    =

  10. #10
    Senior Member
    Join Date
    Feb 2002
    Posts
    500
    great point cheyenne1212, the less knowledge you have about your OS (whatever it is) the more vulerable you will be. Switching to a new OS will not increase your knowledge the instant you switch. If you use windows, you need to make sure you patch and update, and thats just the tip of securing windows.... you would be supprised (mabey not) at how many home pc's i've fixed that have NEVER visited windowsupdate. Securing *.nix isn't hard, but just like with windows, you need to know where to go, what to get, and how to configure your box, both pre and post installation. Knowledge is power people.
    Ron Paul: Hope for America
    http://www.ronpaul2008.com/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •