exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

netddefull.txt

netddefull.txt
Posted Jan 25, 2005
Authored by John Heasman | Site ngssoftware.com

NGSSoftware Insight Security Research Advisory - A vulnerability has been discovered in the Microsoft NetDDE service which can allow a remote attacker to execute arbitrary code on a system without authentication. This vulnerability can also be used by any low privileged local user to gain Local System privileges. Systems Affected: Microsoft Windows NT/2000/XP/2003 Server.

tags | advisory, remote, arbitrary, local
systems | windows
SHA-256 | 7fe7b3cd43a05089bc18d0500d8382f190e1c29289808a9a8cd64afe62566c0d

netddefull.txt

Change Mirror Download
NGSSoftware Insight Security Research Advisory

Name: Microsoft NetDDE Service Unauthenticated Remote Buffer Overflow
Systems Affected: Microsoft Windows NT/2000/XP/2003 Server
Severity: High
Vendor URL: http://www.microsoft.com/
Author: John Heasman [ john@ngssoftware.com ]
Date of Public Advisory: 21st January 2005
Advisory number: #NISR21012005
Advisory URL: http://www.ngssoftware.com/advisories/netddefull.txt


Description
***********

A vulnerability has been discovered in the Microsoft NetDDE service
which can allow a remote attacker to execute arbitrary code on a system
without authentication.

This vulnerability can also be used by any low privileged local user to
gain Local System privileges.

The NetDDE (Network Dynamic Data Exchange) services are designed to be
used by network applications as a method of interprocess communication.
NetDDE achieves this by allowing individual applications to create and
maintain machine resource shares, through which data is dynamically
exchanged. When a new share is created, the NetDDE DSDM (DDE Share
Database Manager) service is used to store the share information.

To control access to the DDE shares which have been created, NetDDE
exports a set of functions which can be used to grant 'trusted' status
to a particular share. Only the user who has created the share can grant
trusted status to the share, and without a user granting trusted status
to the share it is not possible for a NetDDE client to exchange data
with the application using that share.

It is in the code which is designed to set trusted status to a share
that the vulnerability can be found.


Details
*******

The function exported by NetDDE to grant trusted status to a share is as
follows:

UINT NDdeSetTrustedShare(
~ LPTSTR lpszServer,
~ LPTSTR lpszShareName,
~ DWORD dwTrustOptions
);

The first parameter, lpszServer, specifies the name of the server on
which the NetDDE and DSDM service reside. The second parameter,
lpszShareName, is the name of the share which is to gain the trusted
status. The third parameter, dwTrustOptions, describes the operation (or
level of trust) which is to be performed upon the share.

NetDDE maintains a list of trusted shares in the system registry which
is modified upon the successful execution of a 'set trusted share'
request. When attempting to construct an absolute registry path upon
which to operate, the lpszShareName string value is concatenated onto
the trusted share root path into a stack based buffer. Since no boundary
checking is performed during this operation, it is a trivial matter to
overflow this buffer and overwrite an arbitrary quantity of the stack -
including the saved return address.

When observing a NDdeSetTrustedShare() function call being made to a
remote NetDDE server, it can be seen that the call will fail unless an
authenticated session has already been established with the target
machine - by default a null session is not sufficient.

During further research of the vulnerability, we observed that there was
a difference in the network interactions between an application
communicating with a NetDDE server, and two NetDDE servers communicating
with each other. We discovered that when two NetDDE servers needed to
communicate, NetBIOS, instead of SMB was the means of transport for the
data which was to be passed over the network. Furthermore, all that was
required for the two NetDDE services to establish communication in this
fashion was a NetBIOS session setup request.

Further investigation showed that an attacker could simply interact
with the vulnerable function over NetBIOS in this fashion without first
needing to successfully complete the authentication stage necessary to
communicate with the NetDDE named pipe. Communicating directly in this
manner grants the attacker remote, unauthenticated access to the
vulnerable function.


Fix Information
***************

Microsoft have released an update for NetDDE which addresses this issue.
This can be downloaded from:

http://www.microsoft.com/technet/security/bulletin/MS04-031.mspx

A check for this vulnerability has been added to Typhon III,
NGSSoftware's advanced vulnerability assessment scanner. For more
information please visit the NGSSoftware website at
http://www.ngssoftware.com/


About NGSSoftware
*****************

NGSSoftware design, research and develop intelligent, advanced
application security assessment scanners. Based in the United Kingdom,
NGSSoftware have offices in the South of London and the East Coast of
Scotland.

NGSSoftware's sister company NGSConsulting, offers best of breed
security consulting services, specialising in application, host and
network security assessments.

http://www.ngssoftware.com/

Telephone +44 208 401 0070
Fax +44 208 401 0076

enquiries@ngssoftware.com





Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close