EEYE: Windows Workstation Service Remote Buffer Overflow
Windows Workstation Service Remote Buffer Overflow
Release Date:
November 11, 2003
Date Reported:
September 15, 2003
Severity:
High (Remote Code Execution)
Systems Affected:
Windows 2000
Windows XP
Description:
eEye Digital Security has discovered a remote buffer overflow in the Windows
Workstation Service (WKSSVC.DLL). An unauthenticated attacker could exploit
this vulnerability to execute arbitrary code with system-level privileges on
Windows 2000 and Windows XP machines. The susceptible Workstation functionality
is accessible via the WKSSVC named pipe (TCP ports 139 and 445).
This buffer overflow bug is within network management functions provided by the
DCE/RPC service. These functions provide the ability to manage user accounts
and network resources locally and remotely. Some network management functions
generate a debug log file in the "debug" subdirectory located in the Windows
directory.
A logging function implemented in WKSSVC.DLL is called to write entries to the
log file. In this function, the vsprintf() routine is used to create a log
entry. The string arguments for this logging function are supplied as
parameters to vsprintf() without any bounds checking, so if we can pass a long
string argument to the logging function, then a buffer overflow will occur.
We found some RPC functions which will accept a long string as a parameter, and
will attempt to write it to the debug log file. If we specify a long string as
a parameter to these RPC functions, a stack-based buffer overflow will happen
in the Workstation service on the remote system. Attackers who successfully
leverage this vulnerability will be executing code under the SYSTEM context of
the remote host.
Technical Description:
The buffer overflow bug is in a logging function which generates a string for
the log file using vsprintf(). The name of the log file is "NetSetup.LOG", and
it is located in the Windows "debug" directory.
This logging routine is called from some functions which handle commands for
the Workstation service, such as "NetValidateName", "NetJoinDomain", etc. In
the case of NetValidateName(), the "computer name" specified as the second
argument is eventually recorded in the log file.
For example, if we use NetValidateName() API as follows:
NetValidateName(L"\\\\192.168.0.100","AAAAAAAA",NULL,NULL,0);
then we can confirm the following log entry on the remote host "192.168.0.100":
08/13 13:01:01 NetpValidateName: checking to see if '' is valid as type 0
name
08/13 13:01:01 NetpValidateName: '' is not a valid NetBIOS \\AAAAAAAA name:
0x57
If we specify a long string as the second argument to the NetValidateName()
API, a buffer overflow happens on the specified host if the debug file is
writeable.
Generally, the "debug" subdirectory in the Windows directory is not writeable
by everyone if the drive is formatted as NTFS, which means that we cannot
append to the log using a null session. The WsImpersonateClient() API is
called before opening the log file, and if the connected client does not have
the privilege to write to the log file, then CreateFile() will fail, and the
vulnerable call to vsprintf() is not performed. So, in this case, we can
exploit FAT32 systems (which do not support ACLs on directories), or systems
where the "%SYSTEMROOT%\debug" directory is writeable by everyone.
However, there are some extended RPC functions implemented in Windows XP which
open the logfile before calling WsImpersonateClient(). They are undocumented
RPC functions, but we can observe them in the function table in WKSSVC.DLL.
The RPC numbers for these extended commands start at 0x1B; for example,
function 0x1B invokes the NetpManageComputers() API internally, which does not
call WsImpersonateClient() before opening the log file.
The usage of NetpManageComputers() is not published; however, we found the
prototype definition of the NetAddAlternateComputerName() API in "LMJoin.h",
which calls NetpManageComputers() internally. This API is exported from
NETAPI32.DLL. This API is also undocumented. We can generate the packet to
execute this RPC function (number 0x1B) using the API as follows:
NetAddAlternateComputerName(L"\\\\192.168.0.200",long_unicode_string,NULL,NULL,0);
We do not need special privileges to write the second argument into the log
file on the remote host. If we specify a long Unicode string as the second
argument ("AlternateName"), the remote system specified in the first argument
will crash due to a buffer overflow. The Unicode string "long_unicode_string"
will be translated into an ASCII string before the logging function is called.
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.
Vendor Status:
Microsoft has released a patch for these vulnerabilities. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS03-049.asp
Credit:
Yuji Ukai
Greetings:
All AD200X attendees, speakers, volunteers, and members.
Related Links:
Retina Network Security Scanner - Free 15 Day Trial
http://www.eeye.com/html/Products/Retina/index.html
Copyright (c) 1998-2003 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any other
medium excluding electronic medium, please e-mail alert@xxxxxxxx for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties with regard to this information. In no event shall the author be
liable for any damages whatsoever arising out of or in connection with the use
or spread of this information. Any use of this information is at the user's own
risk.
Feedback
Please send suggestions, updates, and comments to:
eEye Digital Security
http://www.eEye.com
info@xxxxxxxx