Monday, August 14, 2006

RRAS bug: How can they be so stupid?

If you are reading this then two things are happening: you're running a patched Windows system or you are not running a Windows system at all. Just in case you are not patched yet, get out of here! Now! Go update!

Well... to begin with let me tell you that this is also a big one. Maybe not as big as MS06-40 but it's big. It has to do with rasmans.dll, a library used by the Routing and Remote Access Service in Windows (2000, 2003, XP). Yet another stack overflow exploit due to the ability to write arbitary values in a registry key.

In detail: every time you call a certain function (RPC) from withing that library, which uses registry keys to store information, a new registry key replaces the current (old) one. The problem starts with the value of the key being unlimited. So you can put as much data as you want resulting in a stack overflow exploit. The exploit works by just calling once to set the key to a huge value, then calling the function again to have our huge value deleted, thus triggering the overflow.

How stupid can they be?

What is it with these people?

When releasing such services with a broad range of use it is unforgiving to overlook bugs like this. Or maybe they didn't check their code? I mean Remote Procedure Call, Dynamic Host Control Protocol, Routing and Remote Access, Server Service? These things are automatically deployed in a fresh Windows Intallation. The user is never asked whether to enable these modules or not. "Windows knows best". Also, one uses them because they make his life easier so what happens? Microsoft gives absolutely no control or knowledge over these issues leaving huge back doors (they couldn't do it better even if it was intentional).

If I don't know a certain service is active how could I take it into consideration when securing my system? And if Microsoft keeps that service hidden from me, should it take care of the security too?

Btw, Microsoft has released patch MS06-36 to address this issue but, as I'm told, the patched code still contains part of the vulnerability. Nice going guys :P

No comments: