Security Advisory 06 – 001 – Remotely Exploitable Heap Overflow
Vulnerability discovery and development:
Dave Armstrong Research and POC by: Mudit Sharma
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Server 4.0
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
A vulnerability in the NetIQ endpoint has been discovered which can be triggered by sending a request larger than 3500 bytes to the listening service, by default TCP 10115. A request larger than 3500 bytes triggers a memcpy call which in turn causes an exception within RtlFreeHeap.
By controlling the values of the registers eax and ecx, it is possible to write an arbitrary dword to an arbitrary memory address.
mov [ecx], eax mov [eax+8], ecx
This vulnerability can be exploited to execute arbitrary code through a number of means, including the unhandledexceptionfilter or a PEB locking pointer.
As the Endpoint typically runs as SYSTEM within the Windows environment successfully exploitation of this issue leads to the complete compromise of the vulnerable host.
Portcullis have developed reliable Proof of Concept code for this issue, however this will not be released to the public.
NetIQ informed via email on 17 February 2006
NetIQ informed via email on 22 February 2006
NetIQ informed via email on 28 February 2006
NetIQ RESPONSE via email on 28 February 2006
Multiple emails between Portcullis and NetIQ resulting in NetIQ issuing a patch May 2006