Title: Microsoft Windows XP WMI/RPC cache Denial of Service vulnerability
Criticality: Medium (2/3)
Affected software: Microsoft Windows XP Operating System
Platforms tested: Windows XP Professional SP1a US, Windows XP Home Edition SP2 SF
Author: Juha-Matti Laurio info [at] networksecurity.fi, juha-matti.laurio [at] netti.fi
Date: 28th May, 2005
Originally researched: 16th Dec, 2004
Advisory ID: N/A (#5)
Location URL: http://www.networksecurity.fi/advisories/windows-wmi-rpc.html (HTML)
CVE reference: CVE-2005-1792; see cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1792
Overview:
A local type vulnerability has been reported in Windows XP, which can cause a local Denial of Service (DoS).
Details:
This problem occurs when using program which handles Windows Management Instrumentation (WMI) service. The application and operating system can to become unresponsive when a remote procedure call (RPC) cache grows
remarkably large and a memory leak can occur. This is happened when security contexts are generated at a faster rate than the cache is cleaned up.
Normally the RPC cache is cleaned up at a rate of nine security context entries every 10 seconds.
Finally a Windows XP workstation must be rebooted to return to the normal state.
Result:
Operating systems becomes unresponsive.
OS can hang in some situations or generate a BSOD (Blue Screen of Death) effect too. In this situation RPCRT4.DLL is being
reported at the BSOD dump screen and user gets information situation happened due to limitations in RPC cache handling process.
Affected component: Rpcrt4.dll (Remote Procedure Call Runtime)
Default location: C:\Windows\system32
Rpcrt4.dll library versions prior than 5.1.2600.2575 are affected.
Tested software versions:
Microsoft Windows XP Professional SP1a up-to-date US language version: Rpcrt4.dll 6th March, 2004 5:16:11 v5.1.2600.1361
Microsoft Windows XP Home Edition SP2 SF (Finnish language version): Rpcrt4.dll 6th March, 2004 4:18:39 v5.1.2600.2180
NOTE: Service Pack 2 is affected as well.
Solution:
Apply a hotfix (890196) from vendor by contacting Microsoft Product Support Services.
Users which are using WMI implementations described earlier or having problems mentioned are urged to contact the vendor for information on obtaining an updated library file.
Workaround:
Do not use applications using WMI implementations described when critical applications and/or unsaved documents is open.
References:
www.securityfocus.com/bid/13801
www.securiteam.com/windowsntfocus/5QP0W00G1Q.html
www.secwatch.org/advisories/1010720/
www.osvdb.org/displayvuln.php?osvdb_id=13020
CVE-2005-1792
support.microsoft.com/kb/890196/EN-US/
Additional references:
- The Microsoft Developer Network (MSDN) / Windows Management Instrumentation
- The MSDN / WMI Reference
Timeline:
16-12-2004 Vulnerability researched
16-12-2004 Security companies contacted. OSVDB ID 13020 is assigned.
28-12-2004 Vendor issues a hotfix. Security companies contacted.
10-01-2005 Some security companies contacted again.
10-01-2005 Security companies asked for additional information
28-05-2005 More tests done. Security companies and several CERT units contacted.
28-05-2005 Advisory published
29-05-2005 Workaround added to an advisory
29-05-2005 Workaround and link to advisory sent to security companies and several CERT units
30-05-2005 More security companies and CERT units informed
This issue was researched independently internally by Microsoft and by Juha-Matti Laurio.
28-05-2005 1.0: Researcher's advisory published
29-05-2005 1.1: Updated advisory
29-05-2005 1.2: Updated advisory by providing a workaround
30-05-2005 1.3: Updated advisory
02-06-2005 1.4: Updated advisory by adding information about file version in SP2
03-06-2005 1.5: Added CVE reference
09-02-2006 1.6: Added new references, updated advisory
Copyright © Networksecurity.fi and Juha-Matti Laurio 2004 - 2006
To the Main Page
Best regards,
Juha-Matti Laurio
IT security researcher
Finland
www.networksecurity.fi
Read more about 53 other security vulnerabilities discovered by the researcher.