CERT-In Vulnerability Note CIVN-2009-77
Microsoft Windows RPC Marshalling Engine Vulnerability
Original Issue Date:June 11, 2009
Severity Rating:
Medium
Systems Affected
- Microsoft Windows 2000 Service Pack 4
- Microsoft Windows XP Service Pack 2
- Microsoft Windows XP Service Pack 3
- Microsoft Windows XP Professional x64 Edition Service Pack 2
- Microsoft Windows Server 2003 Service Pack 2
- Microsoft Windows Server 2003 x64 Edition Service Pack 2
- Microsoft Windows Server 2003 with SP2 for Itanium-based Systems
- Microsoft Windows Vista Service Pack 2 and prior
- Microsoft Windows Vista x64 Edition Service Pack 2 and prior
- Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 (including server core)
- Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 (including server core)
- Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 (including server core)
Overview
A vulnerability has been identified in Microsoft Windows RPC which could allow an attacker to execute arbitrary code and take complete control of an affected system.
Description
Microsoft Remote Procedure Call (RPC) is an interprocess communication (IPC) mechanism that enables data exchange and invocation of functionality residing in a different process. That process can be on the same computer, on the local area network (LAN), or across the Internet. The Microsoft RPC mechanism uses other IPC mechanisms, such as named pipes, NetBIOS, or Winsock, to establish communications between the client and the server. With RPC, essential program logic and related procedure code can exist on different computers, which is important for distributed applications.
The RPC Marshalling Engine, also known as NDR, provides a common RPC interface between RPC clients and servers. NDR20 is used in a 32-bit architecture and NDR64 is optimized for a 64-bit architecture. The same marshalling engine is used on both the client and the server side, regardless of program architecture. The client and the server negotiate which marshalling engine is used for the communication.
This is an elevation of privilege vulnerability caused due to Microsoft Windows Remote Procedure Call (RPC) Marshalling Engine does not properly updates its internal state, which could lead to a pointer being read from an incorrect location. Successful exploitation of this vulnerability could allow attackers to execute arbitrary code with elevated privileges and take complete control of an affected system.
Note: Systems with default configurations, i.e. without RPC servers or clients are not exploitable. However, the vulnerability exists in the Microsoft Windows RPC runtime and could affect third-party RPC applications. This vulnerability can be exploited by sending specially crafted RPC message to a third-party RPC application.
Solution
Apply appropriate patches as mentioned in Microsoft Security Bulletin MS09-026
Vendor Information Microsoft Corporation
http://www.microsoft.com/technet/security/bulletin/ms09-026.mspx
References
Microsoft Corporation
http://blogs.technet.com/srd/archive/2009/06/09/ms09-026-
how-a-developer-can-know-if-their-rpc-interface-is-affected.aspx
SecurityFocus
http://www.securityfocus.com/bid/35219
SecurityTracker
http://www.securitytracker.com/alerts/2009/Jun/1022357.html
Secunia
http://secunia.com/advisories/35373
VUPEN
http://www.vupen.com/english/advisories/2009/1545
Cisco
http://tools.cisco.com/security/center/viewAlert.x?alertId=18413
CVE Name
CVE-2009-0568
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
