Microsoft Windows NT 4.0 / 2000 Predictable LPC Message Identifier Multiple Vulnerabilities
BID:1748
Info
Microsoft Windows NT 4.0 / 2000 Predictable LPC Message Identifier Multiple Vulnerabilities
| Bugtraq ID: | 1748 |
| Class: | Origin Validation Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Oct 03 2000 12:00AM |
| Updated: | Oct 03 2000 12:00AM |
| Credit: | Discovered by BindView's Razor Team <[email protected]> and publicized in a Microsoft Security Bulletin (MS00-070) on October 3, 2000. |
| Vulnerable: |
Microsoft Windows NT Workstation 4.0 SP6a Microsoft Windows NT Workstation 4.0 SP6 Microsoft Windows NT Workstation 4.0 SP5 Microsoft Windows NT Workstation 4.0 SP4 Microsoft Windows NT Workstation 4.0 SP3 Microsoft Windows NT Workstation 4.0 SP2 Microsoft Windows NT Workstation 4.0 SP1 Microsoft Windows NT Workstation 4.0 Microsoft Windows NT Terminal Server 4.0 SP6 Microsoft Windows NT Terminal Server 4.0 SP5 Microsoft Windows NT Terminal Server 4.0 SP4 Microsoft Windows NT Terminal Server 4.0 SP3 Microsoft Windows NT Terminal Server 4.0 SP2 Microsoft Windows NT Terminal Server 4.0 SP1 Microsoft Windows NT Terminal Server 4.0 Microsoft Windows NT Server 4.0 SP6a Microsoft Windows NT Server 4.0 SP6 Microsoft Windows NT Server 4.0 SP5 Microsoft Windows NT Server 4.0 SP4 Microsoft Windows NT Server 4.0 SP3 Microsoft Windows NT Server 4.0 SP2 Microsoft Windows NT Server 4.0 SP1 Microsoft Windows NT Server 4.0 Microsoft Windows NT Enterprise Server 4.0 SP6a Microsoft Windows NT Enterprise Server 4.0 SP6 Microsoft Windows NT Enterprise Server 4.0 SP5 Microsoft Windows NT Enterprise Server 4.0 SP4 Microsoft Windows NT Enterprise Server 4.0 SP3 Microsoft Windows NT Enterprise Server 4.0 SP2 Microsoft Windows NT Enterprise Server 4.0 SP1 Microsoft Windows NT Enterprise Server 4.0 Microsoft Windows 2000 Server SP1 Microsoft Windows 2000 Server Microsoft Windows 2000 Professional SP1 Microsoft Windows 2000 Professional Microsoft Windows 2000 Datacenter Server SP1 Microsoft Windows 2000 Datacenter Server Microsoft Windows 2000 Advanced Server SP1 Microsoft Windows 2000 Advanced Server |
| Not Vulnerable: | |
Discussion
Microsoft Windows NT 4.0 / 2000 Predictable LPC Message Identifier Multiple Vulnerabilities
LPC (Local Procedure Call) is a message-passing service that allows threads and processes to communicate with each other on a local machine as opposed to RPC (Remote Procedure Call) that takes place between different hosts.
The structure of a message is as follows (taken from the Bindview Security Advisory under the 'Credit' tab):
typedef struct lpc_msg {
unsigned short data_len;
unsigned short msg_len; /* normally data_len + sizeof (struct lpc_msg) */
unsigned short msg_type;
unsigned short address_range_offset;
unsigned long pid; /* process id of client */
unsigned long tid; /* thread id of client */
unsigned long mid; /* message id for this message */
unsigned long callback_id; /* callback id for this message */
/* unsigned char buff[0]; data_len bytes of data for this message */
} LPC_MSG;
The underlying problem exists in the way NT's LPC ports implementation verifies the original source of the message. When a client attempts to connect to the server, the server will receive a new handle from NtAcceptConnectPort. Although, the server will not use the handle and will use the original handle it had received from the NtCreatePort call. It will utilize the PID (Process Identifier), TID (Thread Identifier), and MID (Message Identifier) as illustrated above. The MID of a LPC message is predictable and any process that knows the MID can use it. This opens up the possibility of a number of exploits such as Denial of Service, Session Hijacking, Eavesdropping, and Privilege Escalation.
Vulnerability #1: This vulnerability only affects Windows NT 4.0 and not 2000. Hijacking of port connections is made possible because any process can call NtAcceptConnectPort. The NtAcceptConnectPort API only requires LPC_MSG and PID, TID, and MID rather than an existing port handle. If all three identifiers are specified for an existing connection request, then the process is given a handle to that particular port. Process requests from that client can now take place.
Vulnerability #2: It is possible to transmit data between LPC clients and servers through NtReadRequestData and NtWriteRequestData. These two functions allow servers to read and write to client address space specified by the client. An example of the client structure is as follows:
struct addr_ranges {
unsigned long num_entries;
struct addr_entry {
void *addr;
size_t len;
} addrs[N]; /* where N is num_entries */
};
This structure would be inserted into the data portion of the client message and the address_range_offset of the LPC_MSG would be set to the offset of the structure. The server can then read or write to the specified address ranges with NtReadRequestData and NtWriteRequestData. However, a client of a port can utilize one of these calls as a server and access portions of memory from another client, given that the other client is utilizing address_range_offset and that the original client can provide the correct PID, TID, and MID.
Vulnerability #3: By making a large number of LPC requests using the address_range_offset feature, it is possible to use up all available MIDs in the system (2^32). When this happens, the server will 'wrap' and assign outstanding requests a MID belonging to an existing request. In this manner it is possible for one client to cause the server to send an innapropriate reply to another client.
These vulnerabilities can only be launched against a machine a user can interactively log onto, therefore remote exploitation is not possible.
Other vulnerabilities exists in NT's implementation of LPC and are detailed in the Microsoft Security Bulletin (MS00-070) and Bindview's Security Advisory located under the 'Credit' tab.
LPC (Local Procedure Call) is a message-passing service that allows threads and processes to communicate with each other on a local machine as opposed to RPC (Remote Procedure Call) that takes place between different hosts.
The structure of a message is as follows (taken from the Bindview Security Advisory under the 'Credit' tab):
typedef struct lpc_msg {
unsigned short data_len;
unsigned short msg_len; /* normally data_len + sizeof (struct lpc_msg) */
unsigned short msg_type;
unsigned short address_range_offset;
unsigned long pid; /* process id of client */
unsigned long tid; /* thread id of client */
unsigned long mid; /* message id for this message */
unsigned long callback_id; /* callback id for this message */
/* unsigned char buff[0]; data_len bytes of data for this message */
} LPC_MSG;
The underlying problem exists in the way NT's LPC ports implementation verifies the original source of the message. When a client attempts to connect to the server, the server will receive a new handle from NtAcceptConnectPort. Although, the server will not use the handle and will use the original handle it had received from the NtCreatePort call. It will utilize the PID (Process Identifier), TID (Thread Identifier), and MID (Message Identifier) as illustrated above. The MID of a LPC message is predictable and any process that knows the MID can use it. This opens up the possibility of a number of exploits such as Denial of Service, Session Hijacking, Eavesdropping, and Privilege Escalation.
Vulnerability #1: This vulnerability only affects Windows NT 4.0 and not 2000. Hijacking of port connections is made possible because any process can call NtAcceptConnectPort. The NtAcceptConnectPort API only requires LPC_MSG and PID, TID, and MID rather than an existing port handle. If all three identifiers are specified for an existing connection request, then the process is given a handle to that particular port. Process requests from that client can now take place.
Vulnerability #2: It is possible to transmit data between LPC clients and servers through NtReadRequestData and NtWriteRequestData. These two functions allow servers to read and write to client address space specified by the client. An example of the client structure is as follows:
struct addr_ranges {
unsigned long num_entries;
struct addr_entry {
void *addr;
size_t len;
} addrs[N]; /* where N is num_entries */
};
This structure would be inserted into the data portion of the client message and the address_range_offset of the LPC_MSG would be set to the offset of the structure. The server can then read or write to the specified address ranges with NtReadRequestData and NtWriteRequestData. However, a client of a port can utilize one of these calls as a server and access portions of memory from another client, given that the other client is utilizing address_range_offset and that the original client can provide the correct PID, TID, and MID.
Vulnerability #3: By making a large number of LPC requests using the address_range_offset feature, it is possible to use up all available MIDs in the system (2^32). When this happens, the server will 'wrap' and assign outstanding requests a MID belonging to an existing request. In this manner it is possible for one client to cause the server to send an innapropriate reply to another client.
These vulnerabilities can only be launched against a machine a user can interactively log onto, therefore remote exploitation is not possible.
Other vulnerabilities exists in NT's implementation of LPC and are detailed in the Microsoft Security Bulletin (MS00-070) and Bindview's Security Advisory located under the 'Credit' tab.
Exploit / POC
Microsoft Windows NT 4.0 / 2000 Predictable LPC Message Identifier Multiple Vulnerabilities
Bindview's Razor Team has provided a proof-of-concept tool (porttool.zip) to demonstrate the vulnerabilities that exist in Microsoft NT's implementation of LPC. The following commands correspond with the specified vulnerabilities detailed under the 'Discussion' tab:
Vulnerability #1:
start porttool -s \BaseNamedObjects\Foo
start porttool -c \BaseNamedObjects\Foo
porttool -s1
(enter PID, TID, and MID printed by porttool -s)
Vulnerability #2:
start porttool -s5a \BaseNamedObjects\Foo
start porttool -c5a-1 \BaseNamedObjects\Foo
porttool -c5a-2 \BaseNamedObjects\Foo
(enter PID, TID, MID, CID from porttool -s5)
Vulnerability #3:
start porttool -s5b \BaseNamedObjects\Foo
start porttool -s5b-2 \BaseNamedObjects\Foo2
porttool -c5b \BaseNamedObjects\Foo \BaseNamedObjects\Foo2
(wait until MIDs wrap around)
start porttool -s \BaseNamedObjects\Foo3
porttool -c \BaseNamedObjects\Foo3
(in window for porttool -s5b)
Enter PID, TID, MID, CID from porttool -s
Bindview's Razor Team has provided a proof-of-concept tool (porttool.zip) to demonstrate the vulnerabilities that exist in Microsoft NT's implementation of LPC. The following commands correspond with the specified vulnerabilities detailed under the 'Discussion' tab:
Vulnerability #1:
start porttool -s \BaseNamedObjects\Foo
start porttool -c \BaseNamedObjects\Foo
porttool -s1
(enter PID, TID, and MID printed by porttool -s)
Vulnerability #2:
start porttool -s5a \BaseNamedObjects\Foo
start porttool -c5a-1 \BaseNamedObjects\Foo
porttool -c5a-2 \BaseNamedObjects\Foo
(enter PID, TID, MID, CID from porttool -s5)
Vulnerability #3:
start porttool -s5b \BaseNamedObjects\Foo
start porttool -s5b-2 \BaseNamedObjects\Foo2
porttool -c5b \BaseNamedObjects\Foo \BaseNamedObjects\Foo2
(wait until MIDs wrap around)
start porttool -s \BaseNamedObjects\Foo3
porttool -c \BaseNamedObjects\Foo3
(in window for porttool -s5b)
Enter PID, TID, MID, CID from porttool -s
Solution / Fix
Microsoft Windows NT 4.0 / 2000 Predictable LPC Message Identifier Multiple Vulnerabilities
Solution:
Microsoft has released the following patches which eliminate this vulnerability including the other LPC vulnerabilities discussed in the Microsoft Security Bulletin (MS00-070):
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows NT Server 4.0 SP6a
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Professional SP1
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Server
Solution:
Microsoft has released the following patches which eliminate this vulnerability including the other LPC vulnerabilities discussed in the Microsoft Security Bulletin (MS00-070):
Microsoft Windows 2000 Advanced Server SP1
-
Microsoft Q266433
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24649
Microsoft Windows 2000 Datacenter Server
-
Microsoft Q266433
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24649
Microsoft Windows NT Workstation 4.0 SP6a
-
Microsoft Q266433
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24650
Microsoft Windows 2000 Datacenter Server SP1
-
Microsoft Q266433
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24649
Microsoft Windows NT Server 4.0 SP6a
-
Microsoft Q266433
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24650
Microsoft Windows 2000 Professional
-
Microsoft Q266433
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24649
Microsoft Windows 2000 Professional SP1
-
Microsoft Q266433
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24649
Microsoft Windows NT Enterprise Server 4.0 SP6a
-
Microsoft Q266433
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24650
Microsoft Windows 2000 Server SP1
-
Microsoft Q266433
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24649
Microsoft Windows 2000 Advanced Server
-
Microsoft Q266433
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24649
Microsoft Windows 2000 Server
-
Microsoft Q266433
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24649
References
Microsoft Windows NT 4.0 / 2000 Predictable LPC Message Identifier Multiple Vulnerabilities
References:
References: