[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    EEYE: Windows Workstation Service Remote Buffer Overflow
From:       "Derek Soeder" <dsoeder () eeye ! com>
Date:       2003-11-11 20:34:31
[Download RAW message or body]

Windows Workstation Service Remote Buffer Overflow

Release Date:
November 11, 2003

Date Reported:
September 15, 2003

Severity:
High (Remote Code Execution)

Systems Affected:
Windows 2000
Windows XP

Description:
eEye Digital Security has discovered a remote buffer overflow in the Windows \
Workstation Service (WKSSVC.DLL). An unauthenticated attacker could exploit this \
vulnerability to execute arbitrary code with system-level privileges on Windows 2000 \
and Windows XP machines. The susceptible Workstation functionality is accessible via \
the WKSSVC named pipe (TCP ports 139 and 445).

This buffer overflow bug is within network management functions provided by the \
DCE/RPC service. These functions provide the ability to manage user accounts and \
network resources locally and remotely. Some network management functions generate a \
debug log file in the "debug" subdirectory located in the Windows directory.

A logging function implemented in WKSSVC.DLL is called to write entries to the log \
file.  In this function, the vsprintf() routine is used to create a log entry.  The \
string arguments for this logging function are supplied as parameters to vsprintf() \
without any bounds checking, so if we can pass a long string argument to the logging \
function, then a buffer overflow will occur.

We found some RPC functions which will accept a long string as a parameter, and will \
attempt to write it to the debug log file.  If we specify a long string as a \
parameter to these RPC functions, a stack-based buffer overflow will happen in the \
Workstation service on the remote system. Attackers who successfully leverage this \
vulnerability will be executing code under the SYSTEM context of the remote host.

Technical Description:
The buffer overflow bug is in a logging function which generates a string for the log \
file using vsprintf().  The name of the log file is "NetSetup.LOG", and it is located \
in the Windows "debug" directory.

This logging routine is called from some functions which handle commands for the \
Workstation service, such as "NetValidateName", "NetJoinDomain", etc.  In the case of \
NetValidateName(), the "computer name" specified as the second argument is eventually \
recorded in the log file.

For example, if we use NetValidateName() API as follows:

    NetValidateName(L"\\\\192.168.0.100","AAAAAAAA",NULL,NULL,0);

then we can confirm the following log entry on the remote host "192.168.0.100":

    08/13 13:01:01 NetpValidateName: checking to see if '' is valid as type 0 name
    08/13 13:01:01 NetpValidateName: '' is not a valid NetBIOS \\AAAAAAAA name: 0x57

If we specify a long string as the second argument to the NetValidateName() API, a \
buffer overflow happens on the specified host if the debug file is writeable.

Generally, the "debug" subdirectory in the Windows directory is not writeable by \
everyone if the drive is formatted as NTFS, which means that we cannot append to the \
log using a null session.  The WsImpersonateClient() API is called before opening the \
log file, and if the connected client does not have the privilege to write to the log \
file, then CreateFile() will fail, and the vulnerable call to vsprintf() is not \
performed.  So, in this case, we can exploit FAT32 systems (which do not support ACLs \
on directories), or systems where the "%SYSTEMROOT%\debug" directory is writeable by \
everyone.

However, there are some extended RPC functions implemented in Windows XP which open \
the logfile before calling WsImpersonateClient().  They are undocumented RPC \
functions, but we can observe them in the function table in WKSSVC.DLL.  The RPC \
numbers for these extended commands start at 0x1B; for example, function 0x1B invokes \
the NetpManageComputers() API internally, which does not call WsImpersonateClient() \
before opening the log file.

The usage of NetpManageComputers() is not published; however, we found the prototype \
definition of the NetAddAlternateComputerName() API in "LMJoin.h", which calls \
NetpManageComputers() internally.  This API is exported from NETAPI32.DLL. This API \
is also undocumented.  We can generate the packet to execute this RPC function \
(number 0x1B) using the API as follows:

    NetAddAlternateComputerName(L"\\\\192.168.0.200",long_unicode_string,NULL,NULL,0);


We do not need special privileges to write the second argument into the log file on \
the remote host.  If we specify a long Unicode string as the second argument \
("AlternateName"), the remote system specified in the first argument will crash due \
to a buffer overflow.  The Unicode string "long_unicode_string" will be translated \
into an ASCII string before the logging function is called.

Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.

Vendor Status:
Microsoft has released a patch for these vulnerabilities.  The patch is available at:
http://www.microsoft.com/technet/security/bulletin/MS03-049.asp

Credit:
Yuji Ukai

Greetings:
All AD200X attendees, speakers, volunteers, and members.

Related Links:
Retina Network Security Scanner - Free 15 Day Trial
http://www.eeye.com/html/Products/Retina/index.html

Copyright (c) 1998-2003 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It \
is not to be edited in any way without express consent of eEye. If you wish to \
reprint the whole or any part of this alert in any other medium excluding electronic \
medium, please e-mail alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this information \
constitutes acceptance for use in an AS IS condition. There are NO warranties with \
regard to this information. In no event shall the author be liable for any damages \
whatsoever arising out of or in connection with the use or spread of this \
information. Any use of this information is at the user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info@eEye.com


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic