BindView Security Advisory: Critical Flaw in rpc__mgmt_inq_stats

Remote anonymous attackers can read large amounts of memory from and/or crash any NT4 RPC server



Issue Date: 12Oct2004
Contact: loveless@bindview.com
Author: Todd Sabin

Topic:
A flaw in rpc__mgmt_inq_stats allows attackers to retrieve memory from and crash NT4 RPC servers.

Overview:
Due to a flaw in the implementation of a standard RPC interface, attackers can retrieve large amounts of the memory from the address space of NT4 RPC servers. In addition to retrieving memory, it is possible to crash any NT4 RPC server by asking for extremely large amounts of memory, the RPC server will attempt to read from inaccessible parts of memory, causing an exception, and the termination of the RPC server.

Affected Systems:
All NT4 systems running RPC servers

Impact:
Anonymous attackers can crash any RPC server. This includes the SAM and LSA, the main RPC service, the Server service, etc. Many applications are also based on RPC or support it, including Exchange and SQL Server.

In addition to crashing servers, an attacker can read large amounts of memory from the address space of the servers. Depending on the server, this may result in the disclosure of sensitive information. For example, during testing against the LSA of an NT4 domain controller, the Administrator's password hash was retrieved.

Details:
As per the guidelines as set forth in the Organization for Internet Safety, BindView will not be releasing technical details about this flaw for 30 days. See http://www.oisafety.org/ for more details on these guidelines.

Workarounds:
None known

Recommendations:
Install the patch from Microsoft. http://www.microsoft.com/technet/security/bulletin/ms04-029.mspx

References:


    CVE Name: CAN-2004-0569
    The mgmt interface. http://www.opengroup.org/onlinepubs/9629399/apdxq.htm