what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

EEYEB-20050803.txt

EEYEB-20050803.txt
Posted Oct 12, 2005
Authored by eEye | Site eeye.com

eEye Security Advisory - eEye Digital Security has discovered a vulnerability in the Windows Plug and Play Service that would allow an unprivileged user to execute arbitrary code with SYSTEM privileges on a remote Windows 2000 or XP SP1 system. On Windows XP SP2, this vulnerability could be exploited by an unprivileged user to gain full privileges on a system to which he is logged in interactively.

tags | advisory, remote, arbitrary
systems | windows
SHA-256 | 846bcdcac256df0db0e4e7c5c0a2e07e6e237430fc7f1965fc0222d7ee188ed3

EEYEB-20050803.txt

Change Mirror Download
Windows UMPNPMGR wsprintfW Stack Buffer Overflow Vulnerability

Release Date:
October 11, 2005

Date Reported:
August 3, 2005

Severity:
High (Remote Code Execution with Authentication)
Medium (Privilege Escalation to SYSTEM)

Vendor:
Microsoft

Systems Affected:
Windows NT 4.0
Windows 2000
Windows XP

eEye ID #: EEYEB20050803
OSVDB #: 18830
CVE #: CAN-2005-2120

Overview:
eEye Digital Security has discovered a vulnerability in the Windows Plug
and Play Service that would allow an unprivileged user to execute
arbitrary code with SYSTEM privileges on a remote Windows 2000 or XP SP1
system. On Windows XP SP2, this vulnerability could be exploited by an
unprivileged user to gain full privileges on a system to which he is
logged in interactively.

This vulnerability is unrelated to the MS05-039 Plug and Play
vulnerability, and is not resolved by the MS05-039 hotfix. We reported
this vulnerability to Microsoft roughly a week before the MS05-039 patch
was released, but they neglected to address the vulnerability in spite
of our warnings. However, generic security measures instituted in the
patch now prevent its anonymous exploitation, making the eminent threat
an internal attack or mass compromise in a domain setting.

Technical Details:
UMPNPMGR.DLL hosts the Plug and Play or "PlugPlay" service, which
provides an RPC interface for accessing device management and
notification functionality. The service is default on Windows NT 4.0
and later, and in fact, support for it is hard-coded into the Service
Control Manager in SERVICES.EXE. Due to its central importance, the
service cannot be stopped once started, and attempting to disable it
runs a high risk of rendering the system unusable.

The code for UMPNPMGR contains a number of calls to wsprintfW to
construct various formatted strings in stack buffers, and in two cases
the user input is only validated by whether or not it corresponds to an
existent subkey of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum.
Although this registry branch is protected from unprivileged
modification, the assumption that any valid key name is safe can
nevertheless be circumvented by supplying arbitrary lengths of
consecutive backslashes; for example, "HTREE\ROOT\\\\0\\\\\\\\".

The functions PNP_GetDeviceList (opnum 10) and PNP_GetDeviceListSize
(opnum 11), on the UMPNPMGR interface
{8D9F4E40-A03D-11CE-8F69-08003E30051B}, both exhibit this vulnerability.
For the former, any valid subkey name may be passed in order to reach a
vulnerable wsprintfW call, whereas the latter must receive a key name
with an empty second (e.g., "HTREE\\ROOT\0") or third ("HTREE\ROOT\\0")
component in order to reach a vulnerable wsprintfW call within
GetDeviceInstanceListSize, due to the way SplitDeviceInstanceString
tokenizes the string.

On Windows 2000 and earlier, the UMPNPMGR interface may be reached
without authentication via the \PIPE\browser, \PIPE\srvsvc, and
\PIPE\wkssvc named pipe RPC endpoints. Windows XP and later has
migrated many services into host processes, so the few named-pipe
endpoints over which UMPNPMGR may be reached (e.g., \PIPE\ntsvcs and
\PIPE\scerpc) require authentication.

This vulnerability was fixed in Windows 2003 by replacing the unsafe
wsprintfW calls with calls to _vsnwprintf; why this security fix was not
ported to any other operating system is unclear.

Protection:
Retina, Network Security Scanner, has been updated to be able to
identify this vulnerability.
For more information on Retina visit: http://www.eEye.com/Retina

Blink, Endpoint Vulnerability Prevention, already provides protection
from attacks based on this vulnerability.
For more information on Blink visit: http://www.eEye.com/Blink


Vendor Status:
For Windows 2000 and XP customers, Microsoft has released a patch for
this vulnerability. The patch is available at:
http://www.microsoft.com/technet/security/Bulletin/MS05-047.mspx

Microsoft will not be releasing a public Windows NT 4.0 patch due to the
platform's non-supported status. eEye customers with Blink installed on
NT 4.0 systems are protected from these attacks regardless of patch
level, with zero impact to system or application functionality.

Credit:
Derek Soeder

Greetings:
Neel, for the better find. =] Dale, BK, DA, Dr. Claw, F2, JE, RH, NR,
YW. F&MQB. Jussi, Solar, the DC staff, and the Samoan Shellcoder.
Mike Reavey, Jason Garms, and Writing Secure Code, 3rd Edition.

Copyright (c) 1998-2005 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the
user's own risk.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close