[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: EEYE: Windows Workstation Service Remote Buffer Overflow
From: "Derek Soeder" <dsoeder () eeye ! com>
Date: 2003-11-11 20:34:31
[Download RAW message or body]
Windows Workstation Service Remote Buffer Overflow
Release Date:
November 11, 2003
Date Reported:
September 15, 2003
Severity:
High (Remote Code Execution)
Systems Affected:
Windows 2000
Windows XP
Description:
eEye Digital Security has discovered a remote buffer overflow in the Windows \
Workstation Service (WKSSVC.DLL). An unauthenticated attacker could exploit this \
vulnerability to execute arbitrary code with system-level privileges on Windows 2000 \
and Windows XP machines. The susceptible Workstation functionality is accessible via \
the WKSSVC named pipe (TCP ports 139 and 445).
This buffer overflow bug is within network management functions provided by the \
DCE/RPC service. These functions provide the ability to manage user accounts and \
network resources locally and remotely. Some network management functions generate a \
debug log file in the "debug" subdirectory located in the Windows directory.
A logging function implemented in WKSSVC.DLL is called to write entries to the log \
file. In this function, the vsprintf() routine is used to create a log entry. The \
string arguments for this logging function are supplied as parameters to vsprintf() \
without any bounds checking, so if we can pass a long string argument to the logging \
function, then a buffer overflow will occur.
We found some RPC functions which will accept a long string as a parameter, and will \
attempt to write it to the debug log file. If we specify a long string as a \
parameter to these RPC functions, a stack-based buffer overflow will happen in the \
Workstation service on the remote system. Attackers who successfully leverage this \
vulnerability will be executing code under the SYSTEM context of the remote host.
Technical Description:
The buffer overflow bug is in a logging function which generates a string for the log \
file using vsprintf(). The name of the log file is "NetSetup.LOG", and it is located \
in the Windows "debug" directory.
This logging routine is called from some functions which handle commands for the \
Workstation service, such as "NetValidateName", "NetJoinDomain", etc. In the case of \
NetValidateName(), the "computer name" specified as the second argument is eventually \
recorded in the log file.
For example, if we use NetValidateName() API as follows:
NetValidateName(L"\\\\192.168.0.100","AAAAAAAA",NULL,NULL,0);
then we can confirm the following log entry on the remote host "192.168.0.100":
08/13 13:01:01 NetpValidateName: checking to see if '' is valid as type 0 name
08/13 13:01:01 NetpValidateName: '' is not a valid NetBIOS \\AAAAAAAA name: 0x57
If we specify a long string as the second argument to the NetValidateName() API, a \
buffer overflow happens on the specified host if the debug file is writeable.
Generally, the "debug" subdirectory in the Windows directory is not writeable by \
everyone if the drive is formatted as NTFS, which means that we cannot append to the \
log using a null session. The WsImpersonateClient() API is called before opening the \
log file, and if the connected client does not have the privilege to write to the log \
file, then CreateFile() will fail, and the vulnerable call to vsprintf() is not \
performed. So, in this case, we can exploit FAT32 systems (which do not support ACLs \
on directories), or systems where the "%SYSTEMROOT%\debug" directory is writeable by \
everyone.
However, there are some extended RPC functions implemented in Windows XP which open \
the logfile before calling WsImpersonateClient(). They are undocumented RPC \
functions, but we can observe them in the function table in WKSSVC.DLL. The RPC \
numbers for these extended commands start at 0x1B; for example, function 0x1B invokes \
the NetpManageComputers() API internally, which does not call WsImpersonateClient() \
before opening the log file.
The usage of NetpManageComputers() is not published; however, we found the prototype \
definition of the NetAddAlternateComputerName() API in "LMJoin.h", which calls \
NetpManageComputers() internally. This API is exported from NETAPI32.DLL. This API \
is also undocumented. We can generate the packet to execute this RPC function \
(number 0x1B) using the API as follows:
NetAddAlternateComputerName(L"\\\\192.168.0.200",long_unicode_string,NULL,NULL,0);
We do not need special privileges to write the second argument into the log file on \
the remote host. If we specify a long Unicode string as the second argument \
("AlternateName"), the remote system specified in the first argument will crash due \
to a buffer overflow. The Unicode string "long_unicode_string" will be translated \
into an ASCII string before the logging function is called.
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.
Vendor Status:
Microsoft has released a patch for these vulnerabilities. The patch is available at:
http://www.microsoft.com/technet/security/bulletin/MS03-049.asp
Credit:
Yuji Ukai
Greetings:
All AD200X attendees, speakers, volunteers, and members.
Related Links:
Retina Network Security Scanner - Free 15 Day Trial
http://www.eeye.com/html/Products/Retina/index.html
Copyright (c) 1998-2003 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It \
is not to be edited in any way without express consent of eEye. If you wish to \
reprint the whole or any part of this alert in any other medium excluding electronic \
medium, please e-mail alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information \
constitutes acceptance for use in an AS IS condition. There are NO warranties with \
regard to this information. In no event shall the author be liable for any damages \
whatsoever arising out of or in connection with the use or spread of this \
information. Any use of this information is at the user's own risk.
Feedback
Please send suggestions, updates, and comments to:
eEye Digital Security
http://www.eEye.com
info@eEye.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic