[ISN] EEYE: Windows Workstation Service Remote Buffer Overflow

From: InfoSec News (isn@private)
Date: Wed Nov 12 2003 - 04:15:52 PST

  • Next message: InfoSec News: "[ISN] Microsoft prepares security assault on Linux"

    Forwarded from: "Derek Soeder" <dsoeder@private>
    
    Windows Workstation Service Remote Buffer Overflow
    
    Release Date:
    November 11, 2003
    
    Date Reported:
    September 15, 2003
    
    Severity:
    High (Remote Code Execution)
    
    Systems Affected:
    Windows 2000
    Windows XP
    
    Description:
    eEye Digital Security has discovered a remote buffer overflow in the
    Windows Workstation Service (WKSSVC.DLL). An unauthenticated attacker
    could exploit this vulnerability to execute arbitrary code with
    system-level privileges on Windows 2000 and Windows XP machines. The
    susceptible Workstation functionality is accessible via the WKSSVC
    named pipe (TCP ports 139 and 445).
    
    This buffer overflow bug is within network management functions
    provided by the DCE/RPC service. These functions provide the ability
    to manage user accounts and network resources locally and remotely.
    Some network management functions generate a debug log file in the
    "debug" subdirectory located in the Windows directory.
    
    A logging function implemented in WKSSVC.DLL is called to write
    entries to the log file.  In this function, the vsprintf() routine is
    used to create a log entry.  The string arguments for this logging
    function are supplied as parameters to vsprintf() without any bounds
    checking, so if we can pass a long string argument to the logging
    function, then a buffer overflow will occur.
    
    We found some RPC functions which will accept a long string as a
    parameter, and will attempt to write it to the debug log file.  If we
    specify a long string as a parameter to these RPC functions, a
    stack-based buffer overflow will happen in the Workstation service on
    the remote system. Attackers who successfully leverage this
    vulnerability will be executing code under the SYSTEM context of the
    remote host.
    
    Technical Description:
    The buffer overflow bug is in a logging function which generates a
    string for the log file using vsprintf().  The name of the log file is
    "NetSetup.LOG", and it is located in the Windows "debug" directory.
    
    This logging routine is called from some functions which handle
    commands for the Workstation service, such as "NetValidateName",
    "NetJoinDomain", etc.  In the case of NetValidateName(), the "computer
    name" specified as the second argument is eventually recorded in the
    log file.
    
    For example, if we use NetValidateName() API as follows:
    
        NetValidateName(L"\\\\192.168.0.100","AAAAAAAA",NULL,NULL,0);
    
    then we can confirm the following log entry on the remote host
    "192.168.0.100":
    
        08/13 13:01:01 NetpValidateName: checking to see if '' is valid as type 0 name
        08/13 13:01:01 NetpValidateName: '' is not a valid NetBIOS \\AAAAAAAA name: 0x57
    
    If we specify a long string as the second argument to the
    NetValidateName() API, a buffer overflow happens on the specified host
    if the debug file is writeable.
    
    Generally, the "debug" subdirectory in the Windows directory is not
    writeable by everyone if the drive is formatted as NTFS, which means
    that we cannot append to the log using a null session.  The
    WsImpersonateClient() API is called before opening the log file, and
    if the connected client does not have the privilege to write to the
    log file, then CreateFile() will fail, and the vulnerable call to
    vsprintf() is not performed.  So, in this case, we can exploit FAT32
    systems (which do not support ACLs on directories), or systems where
    the "%SYSTEMROOT%\debug" directory is writeable by everyone.
    
    However, there are some extended RPC functions implemented in Windows
    XP which open the logfile before calling WsImpersonateClient().  They
    are undocumented RPC functions, but we can observe them in the
    function table in WKSSVC.DLL.  The RPC numbers for these extended
    commands start at 0x1B; for example, function 0x1B invokes the
    NetpManageComputers() API internally, which does not call
    WsImpersonateClient() before opening the log file.
    
    The usage of NetpManageComputers() is not published; however, we found
    the prototype definition of the NetAddAlternateComputerName() API in
    "LMJoin.h", which calls NetpManageComputers() internally.  This API is
    exported from NETAPI32.DLL. This API is also undocumented.  We can
    generate the packet to execute this RPC function (number 0x1B) using
    the API as follows:
    
        NetAddAlternateComputerName(L"\\\\192.168.0.200",long_unicode_string,NULL,NULL,0);
    
    We do not need special privileges to write the second argument into
    the log file on the remote host.  If we specify a long Unicode string
    as the second argument ("AlternateName"), the remote system specified
    in the first argument will crash due to a buffer overflow.  The
    Unicode string "long_unicode_string" will be translated into an ASCII
    string before the logging function is called.
    
    Protection:
    Retina Network Security Scanner has been updated to identify this vulnerability.
    
    Vendor Status:
    Microsoft has released a patch for these vulnerabilities.  The patch is available at:
    http://www.microsoft.com/technet/security/bulletin/MS03-049.asp
    
    Credit:
    Yuji Ukai
    
    Greetings:
    All AD200X attendees, speakers, volunteers, and members.
    
    Related Links:
    Retina Network Security Scanner - Free 15 Day Trial
    http://www.eeye.com/html/Products/Retina/index.html
    
    Copyright (c) 1998-2003 eEye Digital Security
    Permission is hereby granted for the redistribution of this alert
    electronically. It is not to be edited in any way without express
    consent of eEye. If you wish to reprint the whole or any part of this
    alert in any other medium excluding electronic medium, please e-mail
    alert@private for permission.
    
    Disclaimer
    The information within this paper may change without notice. Use of
    this information constitutes acceptance for use in an AS IS condition.
    There are NO warranties with regard to this information. In no event
    shall the author be liable for any damages whatsoever arising out of
    or in connection with the use or spread of this information. Any use
    of this information is at the user's own risk.
    
    Feedback
    Please send suggestions, updates, and comments to:
    
    eEye Digital Security
    http://www.eEye.com
    info@private
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Nov 12 2003 - 08:16:54 PST