Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Microsoft Windows DHCP Client Service Buffer Overflow (MS06-036)

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Microsoft Windows DHCP Client Service Buffer Overflow (MS06-036)
Date: 30 Aug 2006 15:00:44 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Microsoft Windows DHCP Client Service Buffer Overflow (MS06-036)
------------------------------------------------------------------------


SUMMARY

A remote buffer overflow vulnerability has been identified in Microsoft 
Windows DHCP-Client Service.

DETAILS

The vulnerability specifically exists in the way the dhcpcsvc.dll system 
library processes DHCP messages.

To extend the limit of 255 bytes defined by the length octet of the DHCP 
Option Field, Microsoft uses the private Option Code 0xFA (250), allowing 
the use of larger option values.

Therefore, a client trying to obtain its IP information may receive a 
DHCPACK packet with the following structure defined, after the 
MAGIC_COOKIE:
-------------------------------------
2F FF [255 bytes] FA 09 [8 bytes] 00
-------------------------------------

In the packet previously described, a NetBIOS over TCP/IP Scope option is 
being used, consisting of 264 bytes (including the NULL), effectively 
extending the limit of 255 bytes per Option.

The use of this Private Option Code is not restricted to be used only once 
after a known Option Code, so the following structure can also be used:
-------------------------------------------------------------------------------
2F FF [255 bytes] FA FF [255 bytes] FA FF [255 bytes] ... FA FF [254 
bytes] 00
-------------------------------------------------------------------------------

Option Code 0x2F (NetBIOS over TCP/IP Scope ) was used for our internal 
proof-of-concept but other Option Codes can also be used.

Once the client receives this DHCPACK message, an option-reassembling 
process is undertaken so that intermediate "0xFA"s and Length octets are 
removed.
In this state the requesting client has an N bytes (N > 255) valid DHCP 
option value, which will now be saved in the stack, after trying to 
perform a Unicode translation process (Windows 2000):

In function DhcpRegSaveOptionAtLocation 2516 bytes of stack space is 
reserved:
---------------------------
55             PUSH EBP
8BEC           MOV EBP,ESP
81EC D4090000  SUB ESP,9D4
---------------------------

Then, the function DhcpOemToUnicode is called with the following 
arguments:
---------------------------------------------------------------------------------
8D85 2CF6FFFF  LEA EAX, DWORD PTR SS:[EBP-9D4]
50             PUSH EAX                 ; PUNICODE_STRING destination 
buffer
56             PUSH ESI ; POEM_STRING buffer received
E8 3E010000    CALL DhcpOemToUnicode
---------------------------------------------------------------------------------

In this function some values are calculated and passed to the 
DhcpOemToUnicodeN function:
----------------------------------------------------------------------------------
0FB745 F8      MOVZX EAX,WORD PTR SS:[EBP-8]    ; POEM_STRING->Length
8D4400 02      LEA EAX,DWORD PTR DS:[EAX+EAX+2] ; LEN = 
(POEM_STRING->Length+1)*2
50             PUSH EAX
FF75 0C        PUSH DWORD PTR SS:[EBP+C]        ; PUNICODE_STRING buffer
FF75 08        PUSH DWORD PTR SS:[EBP+8]        ; POEM_STRING buffer
E8 04000000    CALL DhcpOemToUnicodeN
----------------------------------------------------------------------------------


In DhcpOemToUnicodeN, the following code is executed:
-----------------------------------------------------------------------------------
8B45 10 MOX EAX,DWORD PTR SS:[EBP+10] ; Argument 3 (LEN)
8B75 0C MOV ESI,DWORD PRT SS:[EBP+C]  ; PUNICODE_STRING->MaxLength
03C0    ADD EAX, EAX
85F6    TEST ESI,ESI
66:8945 FA      MOV WORD PTR SS:[EBP-6], EAX  ; PUNICODE_STRING->MaxLength 
= LEN*2
-----------------------------------------------------------------------------------

As can be seen, the MaximumLength member of the UNICODE_STRING structure 
is calculated based on the length of the OEM string provided (which, by 
the way, has already been multiplied by two).

Finally, the following call to ntdll.RtlOemStringToUnicodeString is made:
--------------------------------------------------------------------------
8D45 F0        LEA EAX,DWORD PTR SS:[EBP-10]    ; POEM_STRING
6A 00          PUSH 0                           ; 0 = Do NOT Allocate
50             PUSH EAX
8D45 F8        LEA EAX,DWORD PTR SS:[EBP-8]     ; PUNICODE_STRING
50             PUSH EAX
FF15 54103477  CALL ntdll.RtlOemStringToUnicodeString
--------------------------------------------------------------------------

The call to ntdll.RtlOemStringToUnicodeString specifies that the buffer is 
already allocated by the caller. Therefore, this function will simply 
translate the supplied POEM_STRING->Buffer, storing the resulting 
characters in PUNICODE_STRING->Buffer, having done no bound checking.

This introduces the possibility of overflowing the stack space reserved 
for this buffer and gain control of execution modifying the SEH handler.

Impact:
The dhcpcsvc.dll is loaded by services.exe in Windows 2000 and by 
svchost.exe in Windows XP/2003. As both these services run with SYSTEM 
privileges, an exploitation of this issue would allow Remote Code 
Execution as SYSTEM over vulnerable systems.

Solutions:
Microsoft has referred this vulnerability as MS06-036 and developed a 
patch to address it. Users should upgrade their system through Microsoft 
Windows Update facility. More information can be found in Microsoft 
KB914388.

Vendor Response:
* 12/26/2005: Initial Vendor Contact.
* 01/19/2006: Vendor Confirmed Vulnerability.
* 07/11/2006: Vendor Releases Update.
* 07/11/2006: Pre-Advisory Public Disclosure.
* 08/29/2006: Advisory Public Disclosure.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:mnunez@cybsec.com> Mariano 
Nu ez Di Croce.
The original article can be found at:  
<http://www.cybsec.com/vuln/CYBSEC-Security_Pre-Advisory_Microsoft_Windows_DHCP_Client_Service_Remote_Buffer_Overflow.pdf>
 
http://www.cybsec.com/vuln/CYBSEC-Security_Pre-Advisory_Microsoft_Windows_DHCP_Client_Service_Remote_Buffer_Overflow.pdf



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Microsoft Windows DHCP Client Service Buffer Overflow (MS06-036), SecuriTeam <=
Previous by Date:  [UNIX] phpBannerExchange Unauthorized Password Recovery, SecuriTeam
Next by Date:  [NEWS] SAP-DB/MaxDB WebDBM Buffer Overflow, SecuriTeam
Previous by Thread:  [UNIX] phpBannerExchange Unauthorized Password Recovery, SecuriTeam
Next by Thread:  [NEWS] SAP-DB/MaxDB WebDBM Buffer Overflow, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]