18830 : Microsoft Windows UMPNPMGR wsprintfW Remote Overflow
Printer | http://osvdb.org/18830 | Email This | Edit Vulnerability

Views This Week	Views All Time	Added to OSVDB	Last Modified	Modified (since 2008)	Percent Complete
5	449	over 4 years ago	8 days ago	4 times	100%

Timeline

Vendor Informed Date	Disclosure Date	Vendor Solution Date	Exploit Publish Date
2005-08-03	2005-10-11	2005-10-11	2005-10-21

Time to Patch
69 days

Keywords

2005006318

Description

A remote overflow exists in Microsoft Windows NT, 2000 & XP. The Microsoft Windows MSRPC Plug and Play service fails to validate user supplied data to the wsprintfW call within the code for UMPNPMGR, resulting in a stack buffer overflow. With a specially crafted request, a remote authenticated attacker can execute arbitrary code with SYSTEM privileges on a remote Windows 2000 or XP SP1 system. On Windows XP SP2, this vulnerability could also be exploited by an unprivileged user to gain full privileges on a system to which he is logged in interactively. Both resulting in a loss of integrity to the system.

Classification

Location: Local Access Required, Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Unknown
Disclosure: OSVDB Verified

Technical

The code for UMPNPMGR contains a number of calls to wsprintfW to construct various formatted strings in stack buffers, and in two cases the user input is only validated by whether or not it corresponds to an existent subkey of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum. Although this registry branch is protected from unprivileged modification, the assumption that any valid key name is safe can nevertheless be circumvented by supplying arbitrary lengths of consecutive backslashes; for example, "HTREE\ROOT\\\\0\\\\\\\\".

The functions PNP_GetDeviceList (opnum 10) and PNP_GetDeviceListSize (opnum 11), on the UMPNPMGR interface {8D9F4E40-A03D-11CE-8F69-08003E30051B}, both exhibit this vulnerability. For the former, any valid subkey name may be passed in order to reach a vulnerable wsprintfW call, whereas the latter must receive a key name with an empty second (e.g., "HTREE\\ROOT\0") or third ("HTREE\ROOT\\0") component in order to reach a vulnerable wsprintfW call within GetDeviceInstanceListSize, due to the way SplitDeviceInstanceString tokenizes the string.

On Windows 2000 and earlier, the UMPNPMGR interface may be reached without authentication via the \PIPE\browser, \PIPE\srvsvc, and \PIPE\wkssvc named pipe RPC endpoints. Windows XP and later has migrated many services into host processes, so the few named-pipe endpoints over which UMPNPMGR may be reached (e.g., \PIPE\ntsvcs and \PIPE\scerpc) require authentication.

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability for Windows 2000 and XP. Microsoft has not released a patch for the flaw affecting Windows NT 4.0 systems.

Products

Microsoft Corporation	Windows	NT 4.0 SP6a
		NT 4.0 SP1
		NT 4.0 SP2
		NT 4.0 SP3
		NT 4.0 SP4
		NT 4.0 SP5
		XP SP2
		XP SP1
		2000 SP4

References

Security Tracker: 1015042
Bugtraq ID: 15065
Secunia Advisory ID: 17166 17172 17223
SCIP VulDB ID: 1789
CVE ID: 2005-2120 (see also: NVD)
Keyword: 2005006318
CERT VU: 214572
ISS X-Force ID: 22481
Microsoft Knowledge Base Article: 905749
VUPEN Advisory: ADV-2005-2044
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-10/0259.html
http://archives.neohapsis.com:80/archives/vulnwatch/2005-q4/0012.html
Generic Informational URL: http://isc.sans.org/diary.php?storyid=748
Packet Storm: http://packetstormsecurity.org/0510-advisories/TA05-284A.txt
Other Advisory URL: http://research.eeye.com/html/advisories/published/AD20051011c.html
http://www.securiteam.com/windowsntfocus/6G00B0KEBG.html
https://www.auscert.org.au/render.html?it=5587
Vendor Specific Advisory URL: http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdf
http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=361442&RenditionID=
Vendor URL: http://www.microsoft.com/
Generic Exploit URL: http://www.securiteam.com/exploits/6F0011PELS.html
http://www.securiteam.com/exploits/6V00M15EAY.html
Microsoft Security Bulletin: MS05-047

Tools & Filters

20000 21193

Snort

4253 4254 4255 4256 4257 4258 4259 4260 4261 4262 4263 4264 4265 4266 4267 4268 4269 4270 4271 4272 4273 4274 4275 4276 4277 4278 4279 4280 4281 4282 4283 4284 4285 4286 4287 4288 4289 4290 4291 4292 4293 4294 4295 4296 4297 4298 4299 4300 4301 4302 4303 4304 4305 4306 4307 4308 4309 4310 4311 4312 4313 4314 4315 4316 4317 4318 4319 4320 4321 4322 4323 4324 4325 4326 4327 4328 4329 4330 4331 4332 4333 ... and 48 more

Credit

Derek Soeder - dsoedereeye.com - eEye Digital Security

CVSSv2 Score

CVSSv2 Base Score = 6.5
Source: nvd.nist.gov | Generated: 2005-10-14 | Disagree?

Blogs

This product uses the Daylife API but is not endorsed or certified by Daylife.

This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.

None found at this time

Comments

Add Comment Hide Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.