[Windows XP] ntdll.dll Buffer Overflow Vulnerability - Yet Another MS03-007

From: :: Operash :: (nesumin_at_SOFTHOME.NET)
Date: 06/01/03

  • Next message: 3APA3A: "Windows 2003/XP gethostbyaddr() NULL h_name pointer"
    Date:         Mon, 2 Jun 2003 05:55:34 +0900
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    ---------------------------------------------------------------------------
    SUMMARY : [Windows XP] ntdll.dll Buffer Overflow Vulnerability
    PRODUCT : Windows XP ntdll.dll
    VERSIONS : 5.1.2600.1106
    VENDOR : Microsoft Corporation (http://www.microsoft.com/)
    SEVERITY : Critical.
                     Code Execution, Privilege Escalation.
    DISCOVERED BY : nesumin
    AUTHOR : :: Operash ::
    REPORTED DATE : 2003-04-24
    RELEASED DATE : 2003-05-30
    ---------------------------------------------------------------------------

    0. PRODUCTS
    =============

      'ntdll.dll' is a core operating system component that is contained with
      Windows NT series.

      Microsoft Corporation (http://www.microsoft.com/)

    1. DESCRIPTION
    ================

           A buffer overflow vulnerability is in the function 'RtlGetFullPathName_U'
      which belongs to the 'ntdll.dll' and is called from some APIs or etc.

      This function uses 16 bits integer (unsigned short) to handle the given
      string's length inside. And it cannot get the given string's correct length
      if it was called with a string that has the size over 65536 bytes (exceeding
      size of the maximum of the 16 bits integer). Then it causes the overflow on
      the given buffer.

      As a result, if an attacker made some programs or services that is able to call
      the 'RtlGetFullPathName_U' with a string which has the size over 65536 bytes,
      it is possible for him to execute arbitrary codes or escalate his privilege.

    2. SYSTEMS AFFECTED
    =====================

      ntdll.dll 5.1.2600.1106 - Windows XP Professional SP1

      And previous versions may have same vulnerabilities.

    3. SYSTEMS NOT AFFECTED
    =========================

      ntdll.dll 5.1.2600.1217 - Windows XP Professional SP1 + Hotfix 'Q815021'

    4. EXAMINES
    =============

      ntdll.dll 5.1.2600.1106 - Windows XP Professional SP1
      ntdll.dll 5.1.2600.1217 - Windows XP Professional SP1 + Hotfix 'Q815021'

    5. VENDOR STATUS
    ==================

      2003-05-28 The vendor released the patch for Windows XP,
                 And they added this vulnerability's information to the Security
                 Bulletin MS03-007.

    6. SOLUTION
    =============

      Apply the patch (Hotfix of 'Q815021') that is provided by the vendor
      for the Security Bulletin MS03-007.

      http://www.microsoft.com/technet/security/bulletin/ms03-007.asp

    7. TECHNICAL DETAILS
    ======================

           'RtlGetFullPathName_U' of 'ntdll.dll' is a function for getting
      the complete path. This function is given the string (path) and the buffer,
      the buffer's size, and it returns the complete path by writing the
      complete path on the given buffer. And This function is called from
      a Windows API like 'GetFullPathNameW' or etc.
      The buffer overflow vulnerability this function contains is caused by
      following reasons;

      'RtlGetFullPathName_U' handles the given string (path) using 'UNICODE_STRING'
      structure inside. This structure keeps the string's length as 16 bits integer
      (unsigned short) by its specification.
      And the function 'RtlInitUnicodeString' truncates the string's length to
      16 bits integer and put it in this structure if the given string's length
      is over 65536 bytes (32768 characters).

      'RtlGetFullPathName_U' can write the longer data than the given buffer's
      length on that buffer because it trusts the given string's length that is
      shorter than the actual length which is returned by 'RtlInitUnicodeString',
      and then the buffer overflow would occurs.

      If it was given an allocated buffer on the stack, the stack based buffer
      overflow would occurs.

      Remarks:

      This vulnerability differs from the known Security Bulletin 'MS03-007'.
      The known 'MS03-007' problem was caused by 'RtlDosPathNameToNtPathName_U'.
      However it can be said that these are similar vulnerabilities for both of
      these has same fundamental causes.
      Both are cause by trusting the string size which is acquired by 'UNICODE_STRING'
      structure and 'RtlInitUnicodeString' function that cannot handle the string
      length over 16 bits.

      In addition, although this vulnerability had also existed in Windows 2000,
      it was solved by the patch (Q815021 for Windows 2000) that has been already
      provided by the vendor.

      Technical References:

      [1] "MSDN Library - UNICODE_STRING"
          http://msdn.microsoft.com/library/en-us/kmarch/hh/kmarch/k112_401e.asp

      [2] "MSDN Library - RtlInitUnicodeString"
          http://msdn.microsoft.com/library/en-us/kmarch/hh/kmarch/k109_6x4i.asp

    8. SAMPLE CODE
    ================

      This is the example of a vulnerable program which causes the buffer overflow
      by this vulnerability. This is not a exploit code.

      'GetFullPathNameW' is a vulnerable API that calls 'RtlGetFullPathName_U' in
      its inside.

      //------------------------------------------------------
      #include <windows.h>
      #include <stdio.h>

      void vuln_func(wchar_t *long_string)
      {
          wchar_t *tmp_wc;
          wchar_t buffer[0x100*2];

          printf("ready ... \n");

          //
          // about 'GetFullPathName'
          // http://msdn.microsoft.com/library/en-us/fileio/base/getfullpathname.asp
          //
          // RtlGetFullPathName_U is called from GetFullPathNameW.
          //

          GetFullPathNameW(long_string, 0x100, buffer, &tmp_wc);

          // No return here.
          printf("returned\n");
      }

      const int vuln_length = 0x8008; // 0xFFFF & (0x8008*2) == 0x10

      int main()
      {
          wchar_t *p = new wchar_t[vuln_length + 32];

          memset(p, 0x90, vuln_length*sizeof(wchar_t));
          p[vuln_length] = 0;

          vuln_func(p);

          delete[] p;
          return 0;
      }
      //--------------------------------------------------------

    9. TIME TABLE
    ===============

      2003-04-20 Discovered this vulnerability.
      2003-04-24 Reported to 'Microsoft Security Response Center' of the vendor.
      2003-04-24 Got the reply from the vendor.
      2003-05-08 Asked the status to the vendor.
      2003-05-13 Got the reply from the vendor.
      2003-05-28 The vendor released the patch and the information.
      2003-05-30 Released this advisory.

    10. REFERENCES
    ================

      [1] Microsoft Security Bulletin MS03-007
          "Unchecked Buffer In Windows Component Could Cause Server Compromise (815021)"
          http://www.microsoft.com/technet/security/bulletin/MS03-007.asp

      [2] "CAN-2003-0109"
          http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0109

    11. DISCLAIMER
    ================

      A. We cannot guarantee the accuracy of all statements in this information.
      B. We do not anticipate issuing updated versions of this information
         unless there is some material change in the facts.
      C. And we will take no responsibility for any kinds of disadvantages by
         using this information.
      D. You can quote this advisory without our permission if you keep the following;
         a. Do not distort this advisory's content.
         b. A quoted place should be a medium on the Internet.
      E. If you have any questions, please contact to us.

      * Exception

         We strictly forbid 'Secunia' (http://www.secunia.com/) to republish or
         redistribute our advisory.
         Because they've violated our policy and abused our advisory.

    12. CONTACT, ETC
    ==================

      :: Operash ::

      imagine (Operash Webmaster)
      nesumin <nesumin@softhome.net>

      Thanks to :

        melorin
        piso(sexy)

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    FREE 14-DAY TRIAL of New Threat & Vulnerability Notification Service

    TruSecure's new IntelliShield(tm) web-based threat and vulnerability
    service isn't your typical alert service. Supported by TruSecure's vast
    intelligence resources - including the ICSA Labs - IntelliShield's early
    warning, analysis, decision support, and threat management tools provide
    organizations with unmatched intelligence to better protect critical
    information assets. Experience it for yourself - just click below to begin
    your FREE, NO OBLIGATION 14-day trial today!

    http://www.trusecure.com/offer/s0074/

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo


  • Next message: 3APA3A: "Windows 2003/XP gethostbyaddr() NULL h_name pointer"

    Relevant Pages