The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Windows UMPNPMGR wsprintfW Stack Buffer Overflow (MS05-047)
------------------------------------------------------------------------
SUMMARY
eEye Digital Security has discovered a vulnerability in the Windows Plug
and Play Service that would allow an unprivileged user to execute
arbitrary code with SYSTEM privileges on a remote Windows 2000 or XP SP1
system. On Windows XP SP2, this vulnerability could be exploited by an
unprivileged user to gain full privileges on a system to which he is
logged in interactively.
This vulnerability is unrelated to the MS05-039 Plug and Play
vulnerability, and is not resolved by the MS05-039 hotfix. We reported
this vulnerability to Microsoft roughly a week before the MS05-039 patch
was released, but they neglected to address the vulnerability in spite of
our warnings. However, generic security measures instituted in the patch
now prevent its anonymous exploitation, making the eminent threat an
internal attack or mass compromise in a domain setting.
DETAILS
UMPNPMGR.DLL hosts the Plug and Play or "PlugPlay" service, which provides
an RPC interface for accessing device management and notification
functionality. The service is default on Windows NT 4.0 and later, and in
fact, support for it is hard-coded into the Service Control Manager in
SERVICES.EXE. Due to its central importance, the service cannot be stopped
once started, and attempting to disable it runs a high risk of rendering
the system unusable.
The code for UMPNPMGR contains a number of calls to wsprintfW to construct
various formatted strings in stack buffers, and in two cases the user
input is only validated by whether or not it corresponds to an existent
subkey of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum. Although this
registry branch is protected from unprivileged modification, the
assumption that any valid key name is safe can nevertheless be
circumvented by supplying arbitrary lengths of consecutive backslashes;
for example, "HTREE\ROOT\\\\0\\\\\\\\".
The functions PNP_GetDeviceList (opnum 10) and PNP_GetDeviceListSize
(opnum 11), on the UMPNPMGR interface
{8D9F4E40-A03D-11CE-8F69-08003E30051B}, both exhibit this vulnerability.
For the former, any valid subkey name may be passed in order to reach a
vulnerable wsprintfW call, whereas the latter must receive a key name with
an empty second (e.g., "HTREE\\ROOT\0") or third ("HTREE\ROOT\\0")
component in order to reach a vulnerable wsprintfW call within
GetDeviceInstanceListSize, due to the way SplitDeviceInstanceString
tokenizes the string.
On Windows 2000 and earlier, the UMPNPMGR interface may be reached without
authentication via the \PIPE\browser, \PIPE\srvsvc, and \PIPE\wkssvc named
pipe RPC endpoints. Windows XP and later has migrated many services into
host processes, so the few named-pipe endpoints over which UMPNPMGR may be
reached (e.g., \PIPE\ntsvcs and \PIPE\scerpc) require authentication.
This vulnerability was fixed in Windows 2003 by replacing the unsafe
wsprintfW calls with calls to _vsnwprintf; why this security fix was not
ported to any other operating system is unclear.
Vendor Status:
For Windows 2000 and XP customers, Microsoft has released a patch for this
vulnerability. The patch is available at:
<http://www.microsoft.com/technet/security/Bulletin/MS05-047.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS05-047.mspx
Microsoft will not be releasing a public Windows NT 4.0 patch due to the
platform's non-supported status.
ADDITIONAL INFORMATION
The information has been provided by <mailto:Advisories@eeye.com> eEye.
The original article can be found at:
<http://www.eeye.com/html/research/advisories/AD20051011c.html>
http://www.eeye.com/html/research/advisories/AD20051011c.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
