|
|
Info |
Last Modified |
| about 1 year ago |
|
|
|
|
|
Description |
A remote overflow exists in Microsoft Windows NT, 2000 & XP. The Microsoft Windows MSRPC Plug and Play service fails to validate user supplied data to the wsprintfW call within the code for UMPNPMGR, resulting in a stack buffer overflow. With a specially crafted request, a remote authenticated attacker can execute arbitrary code with SYSTEM privileges on a remote Windows 2000 or XP SP1 system. On Windows XP SP2, this vulnerability could also be exploited by an unprivileged user to gain full privileges on a system to which he is logged in interactively. Both resulting in a loss of integrity to the system.
|
|
Classification |
Location:
Local Access Required,
Remote/Network Access Required
Attack Type:
Input Manipulation
Impact:
Loss of Integrity
Exploit:
Exploit Unknown
Disclosure:
OSVDB Verified
|
|
Technical |
The code for UMPNPMGR contains a number of calls to wsprintfW to construct various formatted strings in stack buffers, and in two cases the user input is only validated by whether or not it corresponds to an existent subkey of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum. Although this registry branch is protected from unprivileged modification, the assumption that any valid key name is safe can nevertheless be circumvented by supplying arbitrary lengths of consecutive backslashes; for example, "HTREE\ROOT\\\\0\\\\\\\\".
The functions PNP_GetDeviceList (opnum 10) and PNP_GetDeviceListSize (opnum 11), on the UMPNPMGR interface {8D9F4E40-A03D-11CE-8F69-08003E30051B}, both exhibit this vulnerability. For the former, any valid subkey name may be passed in order to reach a vulnerable wsprintfW call, whereas the latter must receive a key name with an empty second (e.g., "HTREE\\ROOT\0") or third ("HTREE\ROOT\\0") component in order to reach a vulnerable wsprintfW call within GetDeviceInstanceListSize, due to the way SplitDeviceInstanceString tokenizes the string.
On Windows 2000 and earlier, the UMPNPMGR interface may be reached without authentication via the \PIPE\browser, \PIPE\srvsvc, and \PIPE\wkssvc named pipe RPC endpoints. Windows XP and later has migrated many services into host processes, so the few named-pipe endpoints over which UMPNPMGR may be reached (e.g., \PIPE\ntsvcs and \PIPE\scerpc) require authentication.
|
|
Solution |
Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability for Windows 2000 and XP. Microsoft has not released a patch for the flaw affecting Windows NT 4.0 systems.
|
|
Products |
|
Windows
 |
NT 4.0 SP6a |
NT 4.0 SP1 |
NT 4.0 SP2 |
NT 4.0 SP3 |
NT 4.0 SP4 |
NT 4.0 SP5 |
XP SP2 |
XP SP1 |
2000 SP4 |
|
|
|
|
|
|
Credit |
- Derek Soeder - dsoeder
 eeye.com - eEye Digital Security
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
