The Windows server RPC vulnerability that caused so much consternation this spring was so easily exploitable because the vulnerable RPC interface was accessible anonymously, according to an analysis of the DNS RPC flaw that Microsoft SDL guru Michael Howard posted Thursday. The vulnerability, which affects Windows 2000 and Windows Server 2003, is a buffer overflow and security researchers said shortly after it was disclosed that it would be trivial for most attackers to exploit the hole. What’s interesting is that as a result of the mess caused by the Blaster worm, which exploited a separate RPC vulnerability, Microsoft began requiring authentication for RPC communications. XP SP2 was the first version of Windows to have this protection enabled by default and all subsequent versions have it as well, including the forthcoming Windows Server 2008, aka Longhorn.
In his detailed analysis of the vulnerability, Howard points out that because Windows 2000 predates the implementation of the Security Development Lifecycle, it does not include any built-in protections against this kind of buffer overflow. However, Windows 2003 did go through the SDL process, but the flaw found its way into the code anyway. Howard points to a couple of main reasons for this:
- The static analysis tools Microsoft used to analyze the code were not designed to look for the specific kind of construct that is vulnerable.
- The fuzzer used on the Windows Server 2003 code “didn’t discover this vulnerability because previously our process did not include tooling to verify whether an RPC end-point is authenticated or not. It’s important to understand that given a set of interfaces into a system, analysis and testing is prioritized based on accessibility. For example, a remotely and anonymously accessible network interface will get much more scrutiny than a local-admin-only interface.”
Another contributing factor is that the firewall included in Windows Server 2003 is not enabled by default. “There is a lot to learn from the DNS RPC vulnerability. As an outcome of this vulnerability, we are more carefully scrubbing all RPC end-points to verify whether they should really be anonymously accessible. We have also updated our fuzzers to add more context-centric test cases and these updates are now in use. Our static analysis tools will be updated to accommodate more variable-length array variants,” Howard writes.