Advisories
Windows UMPNPMGR wsprintfW Stack Buffer Overflow Vulnerability
Release Date:
October 11, 2005
Date Reported:
August 3, 2005
Patch Development Time (In Days):
Severity:
High (Remote Code Execution)
Vendor:
Mircosoft
Systems Affected:
Windows NT 4.0
Windows 2000
Windows XP
Overview:
eEye Digital Security has discovered a vulnerability in the Windows Plug and Play Service that would allow an unprivileged user to execute arbitrary code with SYSTEM privileges on a remote Windows 2000 or XP SP1 system. On Windows XP SP2, this vulnerability could be exploited by an unprivileged user to gain full privileges on a system to which he is logged in interactively.
This vulnerability is unrelated to the MS05-039 Plug and Play vulnerability, and is not resolved by the MS05-039 hotfix. We reported this vulnerability to Microsoft roughly a week before the MS05-039 patch was released, but they neglected to address the vulnerability in spite of our warnings. However, generic security measures instituted in the patch now prevent its anonymous exploitation, making the eminent threat an internal attack or mass compromise in a domain setting.
Technical Details:
UMPNPMGR.DLL hosts the Plug and Play or "PlugPlay" service, which provides an RPC interface for accessing device management and notification functionality. The service is default on Windows NT 4.0 and later, and in fact, support for it is hard-coded into the Service Control Manager in SERVICES.EXE. Due to its central importance, the service cannot be stopped once started, and attempting to disable it runs a high risk of rendering the system unusable.
The code for UMPNPMGR contains a number of calls to wsprintfW to construct various formatted strings in stack buffers, and in two cases the user input is only validated by whether or not it corresponds to an existent subkey of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum. Although this registry branch is protected from unprivileged modification, the assumption that any valid key name is safe can nevertheless be circumvented by supplying arbitrary lengths of consecutive backslashes; for example, "HTREE\ROOT\\\\0\\\\\\\\".
The functions PNP_GetDeviceList (opnum 10) and PNP_GetDeviceListSize (opnum 11), on the UMPNPMGR interface {8D9F4E40-A03D-11CE-8F69-08003E30051B}, both exhibit this vulnerability. For the former, any valid subkey name may be passed in order to reach a vulnerable wsprintfW call, whereas the latter must receive a key name with an empty second (e.g., "HTREE\\ROOT\0") or third ("HTREE\ROOT\\0") component in order to reach a vulnerable wsprintfW call within GetDeviceInstanceListSize, due to the way SplitDeviceInstanceString tokenizes the string.
On Windows 2000 and earlier, the UMPNPMGR interface may be reached without authentication via the \PIPE\browser, \PIPE\srvsvc, and \PIPE\wkssvc named pipe RPC endpoints. Windows XP and later has migrated many services into host processes, so the few named-pipe endpoints over which UMPNPMGR may be reached (e.g., \PIPE\ntsvcs and \PIPE\scerpc) require authentication.
This vulnerability was fixed in Windows 2003 by replacing the unsafe wsprintfW calls with calls to _vsnwprintf; why this security fix was not ported to any other operating system is unclear.
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.
Blink - Endpoint Vulnerability Prevention - preemptively protects from this vulnerability.
Vendor Status:
Microsoft has released a patch for the flaws affecting Windows 2000 and Windows XP. Microsoft has not released a patch for the flaw affecting Windows NT 4.0 systems.
The released patch is available at:
http://www.microsoft.com/technet/security/bulletin/MS05-047.mspx
Credit:
Discovery: Derek Soeder
Related Links:
Retina Network Security Scanner - Free Trial
Blink Endpoint Vulnerability Prevention - Free Trial
Retina Network Security Scanner - Japanese Edition- http://www.sse.co.jp/eeye/index.html
Greetings:
Neel, for the better find. =] Dale, BK, DA, Dr. Claw, F2, JE, RH, NR, YW. F&MQB. Jussi, Solar, the DC staff, and the Samoan Shellcoder. Mike Reavey, Jason Garms, and Writing Secure Code, 3rd Edition.
Copyright (c) 1998-2008 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
October 11, 2005
Date Reported:
August 3, 2005
Patch Development Time (In Days):
 |
|
|
|
| 69 |
Severity:
High (Remote Code Execution)
Vendor:
Mircosoft
Systems Affected:
Windows NT 4.0
Windows 2000
Windows XP
Overview:
eEye Digital Security has discovered a vulnerability in the Windows Plug and Play Service that would allow an unprivileged user to execute arbitrary code with SYSTEM privileges on a remote Windows 2000 or XP SP1 system. On Windows XP SP2, this vulnerability could be exploited by an unprivileged user to gain full privileges on a system to which he is logged in interactively.
This vulnerability is unrelated to the MS05-039 Plug and Play vulnerability, and is not resolved by the MS05-039 hotfix. We reported this vulnerability to Microsoft roughly a week before the MS05-039 patch was released, but they neglected to address the vulnerability in spite of our warnings. However, generic security measures instituted in the patch now prevent its anonymous exploitation, making the eminent threat an internal attack or mass compromise in a domain setting.
Technical Details:
UMPNPMGR.DLL hosts the Plug and Play or "PlugPlay" service, which provides an RPC interface for accessing device management and notification functionality. The service is default on Windows NT 4.0 and later, and in fact, support for it is hard-coded into the Service Control Manager in SERVICES.EXE. Due to its central importance, the service cannot be stopped once started, and attempting to disable it runs a high risk of rendering the system unusable.
The code for UMPNPMGR contains a number of calls to wsprintfW to construct various formatted strings in stack buffers, and in two cases the user input is only validated by whether or not it corresponds to an existent subkey of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum. Although this registry branch is protected from unprivileged modification, the assumption that any valid key name is safe can nevertheless be circumvented by supplying arbitrary lengths of consecutive backslashes; for example, "HTREE\ROOT\\\\0\\\\\\\\".
The functions PNP_GetDeviceList (opnum 10) and PNP_GetDeviceListSize (opnum 11), on the UMPNPMGR interface {8D9F4E40-A03D-11CE-8F69-08003E30051B}, both exhibit this vulnerability. For the former, any valid subkey name may be passed in order to reach a vulnerable wsprintfW call, whereas the latter must receive a key name with an empty second (e.g., "HTREE\\ROOT\0") or third ("HTREE\ROOT\\0") component in order to reach a vulnerable wsprintfW call within GetDeviceInstanceListSize, due to the way SplitDeviceInstanceString tokenizes the string.
On Windows 2000 and earlier, the UMPNPMGR interface may be reached without authentication via the \PIPE\browser, \PIPE\srvsvc, and \PIPE\wkssvc named pipe RPC endpoints. Windows XP and later has migrated many services into host processes, so the few named-pipe endpoints over which UMPNPMGR may be reached (e.g., \PIPE\ntsvcs and \PIPE\scerpc) require authentication.
This vulnerability was fixed in Windows 2003 by replacing the unsafe wsprintfW calls with calls to _vsnwprintf; why this security fix was not ported to any other operating system is unclear.
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.
Blink - Endpoint Vulnerability Prevention - preemptively protects from this vulnerability.
Vendor Status:
Microsoft has released a patch for the flaws affecting Windows 2000 and Windows XP. Microsoft has not released a patch for the flaw affecting Windows NT 4.0 systems.
The released patch is available at:
http://www.microsoft.com/technet/security/bulletin/MS05-047.mspx
Credit:
Discovery: Derek Soeder
Related Links:
Retina Network Security Scanner - Free Trial
Blink Endpoint Vulnerability Prevention - Free Trial
Retina Network Security Scanner - Japanese Edition- http://www.sse.co.jp/eeye/index.html
Greetings:
Neel, for the better find. =] Dale, BK, DA, Dr. Claw, F2, JE, RH, NR, YW. F&MQB. Jussi, Solar, the DC staff, and the Samoan Shellcoder. Mike Reavey, Jason Garms, and Writing Secure Code, 3rd Edition.
Copyright (c) 1998-2008 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
