Tried, Tested and Proven

Security Advisory 06 – 001 – Remotely Exploitable Heap Overflow

Vulnerable System:

NetIQ Endpoint

Vulnerability discovery and development:

Dave Armstrong Research and POC by: Mudit Sharma

Affected Systems:

Microsoft Windows NT Workstation 4.0

Microsoft Windows NT Server 4.0

Microsoft Windows 2000

Microsoft Windows XP

Microsoft Windows Server 2003

Details:

A vulnerability in the NetIQ endpoint has been discovered which can be triggered by sending a request larger than 3500 bytes to the listening service, by default TCP 10115. A request larger than 3500 bytes triggers a memcpy call which in turn causes an exception within RtlFreeHeap.

By controlling the values of the registers eax and ecx, it is possible to write an arbitrary dword to an arbitrary memory address.

mov [ecx], eax

mov [eax+8], ecx

This vulnerability can be exploited to execute arbitrary code through a number of means, including the unhandledexceptionfilter or a PEB locking pointer.

Impact:

As the Endpoint typically runs as SYSTEM within the Windows environment successfully exploitation of this issue leads to the complete compromise of the vulnerable host.

Exploit:

Portcullis have developed reliable Proof of Concept code for this issue, however this will not be released to the public.

Vendor Status:

NetIQ informed via email on 17 February 2006

NetIQ informed via email on 22 February 2006

NetIQ informed via email on 28 February 2006

NetIQ RESPONSE via email on 28 February 2006

Multiple emails between Portcullis and NetIQ resulting in NetIQ issuing a patch May 2006

Copyright:

Copyright © Portcullis Computer Security Limited 2006, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information.
It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.