Alert: Microsoft Security Bulletin - MS02-017

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 04/05/02

Date:         Thu, 4 Apr 2002 18:25:14 -0500
From: Russ <Russ.Cooper@RC.ON.CA>

Q311967: Unchecked buffer in the Multiple UNC Provider Could Enable Code Execution

Originally posted: April 04, 2002


Who should read this bulletin: Customers using Microsoft® Windows NT®, Windows® 2000 and Windows XP

Impact of vulnerability: Local privilege elevation and run code of attacker's choice.

Maximum Severity Rating: Moderate

Recommendation: Administrators should consider applying the patch to machines that allow unprivileged users to log onto them interactively such as workstations and Terminal Servers.

Affected Software:
- Microsoft Windows NT 4.0 Workstation
- Microsoft Windows NT 4.0 Server
- Microsoft Windows NT 4.0 Server, Enterprise Edition
- Microsoft Windows NT 4 Terminal Server Edition
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows XP Professional

Technical description:

The Multiple UNC Provider (MUP) is a Windows service that assists in locating network resources that are identified via UNC (uniform naming convention). The MUP receives commands containing UNC names from applications and sends the name to each registered UNC provider, LAN Manager workstation, and any others that are installed. When a provider identifies a UNC name as its own, the MUP automatically redirects future instances of that name to that provider.

When MUP receives a file request, it allocates a buffer in which to store it. There is proper input checking in this first buffer. However, MUP stores another copy of the file request in a buffer when it sends this request to a redirector. This second copy of the buffer does not check inputs correctly, thereby creating the possibility that a resource request to it from an unprivileged process could cause a buffer overrun. The overrun could be exploited for either of two purposes: causing a system failure, or running code on the system with Local System privileges.

Mitigating factors:
- The MUP request can only be levied by a process on the local system. As a result, the vulnerability could only be exploited by a user who could log onto an affected system interactively.
- On Windows 2000 systems, the vulnerability could not reliably be used to run code. This is because the attacker would need to know where the buffer was located in memory, but in Windows 2000 this is not externally discoverable or controllable. .
- Best practices suggests that unprivileged users not be allow to interactively log onto business-critical servers. If this recommendation has been followed machines such as domain controllers, ERP servers, print and file servers, database servers, and others would not be at risk from this vulnerability.

Vulnerability identifier: CAN-2002-0151

This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]

I can only hope that the information it does contain can be read well enough to serve its purpose.

Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

Relevant Pages

  • SecurityFocus Microsoft Newsletter #138
    ... Nessus LibNASL Arbitrary Code Execution Vulnerability ... Blackmoon FTP Server Username Information Disclosure... ... Microsoft Windows Media Player Automatic File Download and... ...
  • Re: After setting up the network
    ... Windows firewall/Internet connection etc. ... Microsoft Windows XP ... Server is active on ... C:\Documents and Settings\Leon Perrins>net config workstation ...
  • SecurityFocus Microsoft Newsletter #177
    ... RobotFTP Server Username Buffer Overflow Vulnerability ... Ipswitch IMail Server Remote LDAP Daemon Buffer Overflow Vul... ... Microsoft Windows XP Help And Support Center Interface Spoof... ...
  • [NT] Vulnerability in SMTP Allows Remote Code Execution (MS04-035)
    ... A remote code execution vulnerability exists in the Windows Server 2003 ... installed on Microsoft Windows 2000 Service Pack 3 or on Microsoft Windows ... * Microsoft Exchange Server 2003 and Microsoft Exchange Server 2003 ...
  • RE: New Single NIC Problem
    ... and without maknig any changes I can still ping the any client ... I can RWW inwards and access server and clients. ... > Windows IP Configuration ... > Microsoft Windows XP ...