Microsoft Windows LPC heap overflow

AppSecInc Team SHATTER Security Advisory
http://www.appsecinc.com/resources/alerts/general/07-0001.html
January 10, 2005

Credit: This vulnerability was discovered and researched by Cesar 
Cerrudo of Application Security, Inc.

Risk Level: High

Summary:
A local privilege elevation vulnerability exists on the Windows 
operating systems. This vulnerability allows any user to take complete 
control over the system and affects Windows NT, Windows 2000, Windows 
XP, and Windows 2003 (all service packs).

Versions Affected:
Microsoft Windows NT, Windows 2000, Windows XP, and Windows 2003 (all 
service packs).

Details:
The LPC (Local Procedure Call) mechanism is a type of interprocess 
communication used by the Windows operating systems. LPC is used to 
communicate between processes running on the same system while RPC 
(Remote Procedure Call) is used to communicate between processes on 
remote systems.

When a client process communicates with a server using LPC, the kernel 
fails to check that the server process has allocated enough memory 
before copying data sent by the client process. The native API used to 
connect to the LPC port is NtConnectPort. A parameter of the 
NtConnectPort API allows a buffer of up 260 bytes. When using this 
function the buffer is copied by the kernel from the client process to 
the server process memory ignoring the buffer size restriction which the 
server process set when calling NtCreatePort (the native API used to 
create LPC ports). This causes a heap corruption in the server process 
allowing arbitrary memory to be overwritten and can lead to arbitrary 
code execution.

Workaround:
None.


Fix:
http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx

----------------------------------------------------------------------
Application Security, Inc.
www.appsecinc.com
 
AppSecInc is the leading provider of database security solutions for
the enterprise. AppSecInc products proactively secure enterprise
applications at more than 200 organizations around the world by
discovering, assessing, and protecting the database against rapidly
changing security threats. By securing data at its source, we enable
organizations to more confidently extend their business with
customers, partners and suppliers. Our security experts, combined
with our strong support team, deliver up-to-date application
safeguards that minimize risk and eliminate its impact on business. 
----------------------------------------------------------------------