what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

AppSecInc.winheap.txt

AppSecInc.winheap.txt
Posted Jan 12, 2005
Authored by Cesar Cerrudo | Site appsecinc.com

AppSecInc Advisory - The Microsoft Windows LPC (Local Procedure Call) mechanism is susceptible to a heap overflow that allows for privilege escalation.

tags | advisory, overflow, local
systems | windows
SHA-256 | 8aff40b0ee0ad0cc1af142ebe5ba1bdbdb9b46ace767d159bfba4e3fac06d6fe

AppSecInc.winheap.txt

Change Mirror Download
Microsoft Windows LPC heap overflow

AppSecInc Team SHATTER Security Advisory
http://www.appsecinc.com/resources/alerts/general/07-0001.html
January 10, 2005

Credit: This vulnerability was discovered and researched by Cesar
Cerrudo of Application Security, Inc.

Risk Level: High

Summary:
A local privilege elevation vulnerability exists on the Windows
operating systems. This vulnerability allows any user to take complete
control over the system and affects Windows NT, Windows 2000, Windows
XP, and Windows 2003 (all service packs).

Versions Affected:
Microsoft Windows NT, Windows 2000, Windows XP, and Windows 2003 (all
service packs).

Details:
The LPC (Local Procedure Call) mechanism is a type of interprocess
communication used by the Windows operating systems. LPC is used to
communicate between processes running on the same system while RPC
(Remote Procedure Call) is used to communicate between processes on
remote systems.

When a client process communicates with a server using LPC, the kernel
fails to check that the server process has allocated enough memory
before copying data sent by the client process. The native API used to
connect to the LPC port is NtConnectPort. A parameter of the
NtConnectPort API allows a buffer of up 260 bytes. When using this
function the buffer is copied by the kernel from the client process to
the server process memory ignoring the buffer size restriction which the
server process set when calling NtCreatePort (the native API used to
create LPC ports). This causes a heap corruption in the server process
allowing arbitrary memory to be overwritten and can lead to arbitrary
code execution.

Workaround:
None.


Fix:
http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx

----------------------------------------------------------------------
Application Security, Inc.
www.appsecinc.com

AppSecInc is the leading provider of database security solutions for
the enterprise. AppSecInc products proactively secure enterprise
applications at more than 200 organizations around the world by
discovering, assessing, and protecting the database against rapidly
changing security threats. By securing data at its source, we enable
organizations to more confidently extend their business with
customers, partners and suppliers. Our security experts, combined
with our strong support team, deliver up-to-date application
safeguards that minimize risk and eliminate its impact on business.
----------------------------------------------------------------------
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close