Malformed DHCPv6 packets cause RPC to become unresponsive

by Thomas Unterleitner

There is a vulnerability in the part of RPC processing DHCPv6. The failure results because of incorrect handling of malformed messages. On July 28, 2011, this vulnerability was confirmed and reported by Microsoft.

To exploit this vulnerability, an attacker would need to intercept DHCPv6 traffic. Once a DHCPv6 Request has been intercepted, the corresponding Reply would have to be modified to contain the malformed Domain Search List option. On reception of this malformed packet, RPC on the remote machine would fail. Exploiting this vulnerability would cause the RPC service to fail, losing any RPC-based services, as well as the potential loss of some COM functions.

Failing RPC calls might interfere with the following:

– network connectivity (no IP address acquired, no IP address release/renew, …)

– applications using COM/DCOM interfaces

– machine’s sound system
The error has been found to occur on reception of DHCPv6 Reply (message type 7) packets, containing the option “Domain Search List” (option type 24) with an empty domain.

Affected Systems

Using the sample DHCPv6, it was possible to verify this issue on the following operating systems and configurations:

*       Microsoft Windows 7 Ultimate SP1 32 bit & 64 bit
It is very likely that other versions of Windows 7 (and maybe earlier) are affected by this issue.

Impact

1.      Reception of a “malformed” DHCPv6 Reply packet causes critical error 0xc0000374 within rpcrt4, leaving the RPC server to become unavailable.

a.) ipconfig /release <adapter_name> reporting: An error occurred while releasing interface <adapter_name>: The RPC server is unavailable.

This enables e.g. rouge DHCP servers to prevent other machines from connecting to a network.

Acknowledgments

This vulnerability was discovered by Michael Burgbacher and Thomas Unterleitner on behalf of Barracuda Networks AG. The complete advisory is available here.