DCOM Client May Put Memory on the Wire (300367)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
This article was previously published under Q300367

SYMPTOMS

A Microsoft client application that uses a COM+ DLL on a remote computer may leak memory from the client computer onto the network. The particular information that would be put on the network would depend on what applications were running, what data they stored, and what memory was leaked. However, it is possible to expose sensitive information.

In some cases, the Distributed Component Object Model (DCOM) client will stop working correctly and generate an error message. However, this is not true in all cases. It is possible for the problem to occur with no indication to the user. Customers may therefore wish to install the patch even if they do not see errors.

In the case where the DCOM client generates an error message, the text will vary depending on the language. For instance, a Visual Basic program could generate the following error message:
Run-time error '-2147023170 (800706be)': Automation error. The remote procedure call failed.
Although the problem can occur on any Windows 2000 service pack, it is most likely to occur when the client has Service Pack 2 installed. It is also more likely to occur if the data value of the MaxTokenSize registry entry on the client computer has been increased above 0x10000.

CAUSE

When a DCOM client needs to request a service from a server, it first establishes a connection with the server, then specifies the Remote Procedure Call (RPC) interface that it needs to use by using a "bind" request. If the client later needs to use a different RPC service from the same server, it can do so by using an "alter context" request. It is not necessary for it to establish a new connection with the server.

Because there is a flaw in how "alter context" requests are made, memory from the client can be appended to the expected data in the request. In most cases, the server ignores the extra data and does not cause functionality problems. In other cases, the additional memory can cause an error of the type discussed in the Symptoms section. You cannot trigger the problem remotely; that is, an attacker cannot force a user to start a DCOM session. Likewise, there is no way to control which segment of memory would be leaked onto the network.

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

The English version of this fix should have the following file attributes or later: 
   Date        Time    Version         Size      File name
   --------------------------------------------------------
   7/17/2001   00:01   5.0.2195.3761   940,304   Ole32.dll
   7/17/2001   00:01   5.0.2195.3865   427,792   Rpcrt4.dll
   7/17/2001   00:01   5.0.2195.3857   185,104   Rpcss.dll

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.
Modification Type:MinorLast Reviewed:9/26/2005
Keywords:kbHotfixServer kbQFE kbbug kbfix kbnetwork kbWin2000PreSP3Fix kbWin2000sp3fix KB300367
©2004 Microsoft Corporation. All rights reserved.