Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability

Overview

» IDS/IPS Signatures

Security Sites

iPolicy Networks Security Advisory


Date Discovered:	10/23/2008
Severity:	High
Applications Affected	Microsoft Windows Server 2008 Itanium Microsoft Windows Server 2008 x64 Microsoft Windows Server 2008 32-bit Microsoft Windows Vista x64 Edition Microsoft Windows Vista x64 Edition SP1 Microsoft Windows Vista Microsoft Windows Vista SP1 Microsoft Windows Server 2003 SP2 Itanium Microsoft Windows Server 2003 SP1 Itanium Microsoft Windows Server 2003 x64 SP2 Microsoft Windows Server 2003 x64 Microsoft Windows Server 2003 SP2 Microsoft Windows Server 2003 SP1 Microsoft Windows XP Professional x64 SP2 Microsoft Windows XP Professional x64 Microsoft Windows XP SP3 Microsoft Windows XP SP2 Microsoft Windows 2000 SP4
Type	Remote
Identifiers	CVE-2008-4250 BID-30494

Synopsis

Remote code Execution vulnerability has been identified in Microsoft Windows Server Service when handling a specially crafted RPC request

Recommended Actions

1. Upgrade with the latest patch available at:
http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx

2. Blocking TCP port 139 and 445 at the firewall

TCP port 139 and 445 are used to initiate connection with the vulnerable component. This action will prevent users from external network to exploit this vulnerability.After blocking these port at the firewall, users from external network will not be able to access some services dependent on TCP port 139 and 445. Some of these services are SMB,Print Spooler,Computer Browser,Remote Procedure Call Locator,Fax Service,Group Policy etc.

3. Disable the Computer Browser and Server services

Disabling the Computer Browser and Server service on the affected systems will help protect systems from internal as well as external network attempts to exploit this vulnerability.Disabling these services will result in unavailability of some dependent services like SMB,Print Spooler etc.

Threat Analysis

A Remote code execution vulnerability has been identified in Microsoft Windows Server Service when handling specially crafted RPC request. This issue is due to a stack overflow in the netapi32.dll when processing directory traversal character sequences in path names.

This vulnerability is found to be exploiting in-the-wild by a new worm Gimmiv.A.

The Server service uses a named pipe SRVSVC as its RPC interface, which is registered with UUID equal to 4b324fc8-1670-01d3-1278-5a47bf6ee188. A remote attacker will first send a RPC request to bind to SRVSVC interface and then send a specially crafted malicious RPC request that instructs SRVSVC to canonicalize a path "\c\..\..\AAAAAAAAAAAAAAAAAAAA" by calling the vulnerable RPC request NetPathCanonicalize. When netapi32.dll this malicious RPC request it will result in stack overflow.An attacker can take advantage of this vulnerability to execute arbitrary code and gain complete control over the affected system.

References

http://www.securityfocus.com/bid/31874/info
http://www.frsirt.com/english/advisories/2008/2902
http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
http://www.bitdefender.com/VIRUS-1000430-en--Win32.Worm.Gimmiv.A.html

Write-up by: Vinod Sharma

Security Sites

“iPolicy is one of the most visionary firewall vendors in the firewall Magic Quadrant. Its architecture of a central session processing engine and multiple content blades that are able to block based on signatures, rules and so on is the closest to the network security ideal.”

Greg Young, John Pescatore
Magic Quadrant for Network Firewalls, 2H04, Gartner

| | | | | | | | |