CERT-MU Vulnerability Note VN-2009-16

Microsoft Windows RPC Marshalling Engine Vulnerability

Original Issue Date: June 11, 2009

Severity Rating: Medium

Affected Softwares

• Microsoft Windows 2000 Service Pack 4
• Microsoft Windows XP Service Pack 2
• Microsoft Windows XP Service Pack 3
• Microsoft Windows XP Professional x64 Edition Service Pack 2
• Microsoft Windows Server 2003 Service Pack 2
• Microsoft Windows Server 2003 x64 Edition Service Pack 2
• Microsoft Windows Server 2003 with SP2 for Itanium-based Systems
• Microsoft Windows Vista Service Pack 2 and prior
• Microsoft Windows Vista x64 Edition Service Pack 2 and prior
• Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 (including server core)
• Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 (including server core)
• Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 (including server core)

Overview

A vulnerability has been identified in Microsoft Windows RPC which could allow an attacker to execute arbitrary code and take complete control of an affected system.

Description

Microsoft Remote Procedure Call (RPC) is an interprocess communication (IPC) mechanism that enables data exchange and invocation of functionality residing in a different process. That process can be on the same computer, on the local area network (LAN), or across the Internet. The Microsoft RPC mechanism uses other IPC mechanisms, such as named pipes, NetBIOS, or Winsock, to establish communications between the client and the server. With RPC, essential program logic and related procedure code can exist on different computers, which is important for distributed applications.

The RPC Marshalling Engine, also known as NDR, provides a common RPC interface between RPC clients and servers. NDR20 is used in a 32-bit architecture and NDR64 is optimized for a 64-bit architecture. The same marshalling engine is used on both the client and the server side, regardless of program architecture. The client and the server negotiate which marshalling engine is used for the communication.

This is an elevation of privilege vulnerability caused due to Microsoft Windows Remote Procedure Call (RPC) Marshalling Engine does not properly updates its internal state, which could lead to a pointer being read from an incorrect location. Successful exploitation of this vulnerability could allow attackers to execute arbitrary code with elevated privileges and take complete control of an affected system.

Note: Systems with default configurations, i.e. without RPC servers or clients are not exploitable. However, the vulnerability exists in the Microsoft Windows RPC runtime and could affect third-party RPC applications. This vulnerability can be exploited by sending specially crafted RPC message to a third-party RPC application.

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS09-026

CVE Name

CVE-2009-0568

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/bulletin/ms09-026.mspx

References

Microsoft Corporation
http://blogs.technet.com/srd/archive/2009/06/09/ms09-026- how-a-developer-can-know-if-their-rpc-interface-is-affected.aspx

SecurityFocus
http://www.securityfocus.com/bid/35219

SecurityTracker
http://www.securitytracker.com/alerts/2009/Jun/1022357.html

Secunia
http://secunia.com/advisories/35373

VUPEN
http://www.vupen.com/english/advisories/2009/1545

Cisco
http://tools.cisco.com/security/center/viewAlert.x?alertId=18413