Windows UMPNPMGR wsprintfW Stack Buffer Overflow Vulnerability
Release Date:
October 11, 2005
Date Reported:
August 3, 2005
Severity:
High (Remote Code Execution with Authentication)
Medium (Privilege Escalation to SYSTEM)
Vendor:
Microsoft
Systems Affected:
Windows NT 4.0
Windows 2000
Windows XP
eEye ID #: EEYEB20050803
OSVDB #: 18830
CVE #: CAN-2005-2120
Overview:
eEye Digital Security has discovered a vulnerability in the Windows Plug
and Play Service that would allow an unprivileged user to execute
arbitrary code with SYSTEM privileges on a remote Windows 2000 or XP SP1
system. On Windows XP SP2, this vulnerability could be exploited by an
unprivileged user to gain full privileges on a system to which he is
logged in interactively.
This vulnerability is unrelated to the MS05-039 Plug and Play
vulnerability, and is not resolved by the MS05-039 hotfix. We reported
this vulnerability to Microsoft roughly a week before the MS05-039 patch
was released, but they neglected to address the vulnerability in spite
of our warnings. However, generic security measures instituted in the
patch now prevent its anonymous exploitation, making the eminent threat
an internal attack or mass compromise in a domain setting.
Technical Details:
UMPNPMGR.DLL hosts the Plug and Play or "PlugPlay" service, which
provides an RPC interface for accessing device management and
notification functionality. The service is default on Windows NT 4.0
and later, and in fact, support for it is hard-coded into the Service
Control Manager in SERVICES.EXE. Due to its central importance, the
service cannot be stopped once started, and attempting to disable it
runs a high risk of rendering the system unusable.
The code for UMPNPMGR contains a number of calls to wsprintfW to
construct various formatted strings in stack buffers, and in two cases
the user input is only validated by whether or not it corresponds to an
existent subkey of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum.
Although this registry branch is protected from unprivileged
modification, the assumption that any valid key name is safe can
nevertheless be circumvented by supplying arbitrary lengths of
consecutive backslashes; for example, "HTREE\ROOT\\\\0\\\\\\\\".
The functions PNP_GetDeviceList (opnum 10) and PNP_GetDeviceListSize
(opnum 11), on the UMPNPMGR interface
{8D9F4E40-A03D-11CE-8F69-08003E30051B}, both exhibit this vulnerability.
For the former, any valid subkey name may be passed in order to reach a
vulnerable wsprintfW call, whereas the latter must receive a key name
with an empty second (e.g., "HTREE\\ROOT\0") or third ("HTREE\ROOT\\0")
component in order to reach a vulnerable wsprintfW call within
GetDeviceInstanceListSize, due to the way SplitDeviceInstanceString
tokenizes the string.
On Windows 2000 and earlier, the UMPNPMGR interface may be reached
without authentication via the \PIPE\browser, \PIPE\srvsvc, and
\PIPE\wkssvc named pipe RPC endpoints. Windows XP and later has
migrated many services into host processes, so the few named-pipe
endpoints over which UMPNPMGR may be reached (e.g., \PIPE\ntsvcs and
\PIPE\scerpc) require authentication.
This vulnerability was fixed in Windows 2003 by replacing the unsafe
wsprintfW calls with calls to _vsnwprintf; why this security fix was not
ported to any other operating system is unclear.
Protection:
Retina, Network Security Scanner, has been updated to be able to
identify this vulnerability.
For more information on Retina visit: http://www.eEye.com/Retina
Blink, Endpoint Vulnerability Prevention, already provides protection
from attacks based on this vulnerability.
For more information on Blink visit: http://www.eEye.com/Blink
Vendor Status:
For Windows 2000 and XP customers, Microsoft has released a patch for
this vulnerability. The patch is available at:
http://www.microsoft.com/technet/security/Bulletin/MS05-047.mspx
Microsoft will not be releasing a public Windows NT 4.0 patch due to the
platform's non-supported status. eEye customers with Blink installed on
NT 4.0 systems are protected from these attacks regardless of patch
level, with zero impact to system or application functionality.
Credit:
Derek Soeder
Greetings:
Neel, for the better find. =] Dale, BK, DA, Dr. Claw, F2, JE, RH, NR,
YW. F&MQB. Jussi, Solar, the DC staff, and the Samoan Shellcoder.
Mike Reavey, Jason Garms, and Writing Secure Code, 3rd Edition.
Copyright (c) 1998-2005 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@private for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the
user's own risk.
This archive was generated by hypermail 2.1.3 : Tue Oct 11 2005 - 17:29:48 PDT