[NT] Unchecked buffer in the Multiple UNC Provider Could Enable Code Execution

From: support@securiteam.com
Date: 04/06/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sat,  6 Apr 2002 12:06:19 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Unchecked buffer in the Multiple UNC Provider Could Enable Code Execution
------------------------------------------------------------------------

SUMMARY

The Multiple UNC Provider (MUP) is a Windows service that assists in
locating network resources that are identified via UNC (uniform naming
convention). The MUP receives commands containing UNC names from
applications and sends the name to each registered UNC provider, LAN
Manager workstation, and any others that are installed. When a provider
identifies a UNC name as its own, the MUP automatically redirects future
instances of that name to that provider.

When MUP receives a file request, it allocates a buffer in which to store
it. There is proper input checking in this first buffer. However, MUP
stores another copy of the file request in a buffer when it sends this
request to a redirector. This second copy of the buffer does not check
inputs correctly, thereby creating the possibility that a resource request
to it from an unprivileged process could cause a buffer overrun. The
overrun could be exploited for either of two purposes: causing a system
failure, or running code on the system with Local System privileges.

DETAILS

Affected Software:
 * Microsoft Windows NT 4.0 Workstation
 * Microsoft Windows NT 4.0 Server
 * Microsoft Windows NT 4.0 Server, Enterprise Edition
 * Microsoft Windows NT 4 Terminal Server Edition
 * Microsoft Windows 2000 Professional
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows XP Professional

Mitigating factors:
 * The MUP request can only be levied by a process on the local system. As
a result, the vulnerability could only be exploited by a user who could
log onto an affected system interactively.
 * On Windows 2000 systems, the vulnerability could not reliably be used
to run code. This is because the attacker would need to know where the
buffer was located in memory, but in Windows 2000 this is not externally
discoverable or controllable. .
 * Best practices suggests that unprivileged users not be allow to
interactively log onto business-critical servers. If this recommendation
has been followed machines such as domain controllers, ERP servers, print
and file servers, database servers, and others would not be at risk from
this vulnerability.

Patch availability:
Download locations for this patch
 * Windows NT 4.0:
<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37630>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37630
 * Windows NT 4.0 Terminal Server Edition:
<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37652>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37652
 * Windows 2000:
<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37555>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37555
 * Windows XP:
<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37583>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37583
 * Windows XP 64-bit Edition:
<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37672>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37672

Additional technical details:
When applications in Microsoft Windows NT/2000/XP system send UNC
request(i.e. \\ip\sharename)to access files on other hosts, the operation
system would pass the request to be processed by Multiple UNC
Provider(MUP). MUP passes the request to several redirectors and
subsequently select an appropriate redirector according to their responds.
MUP is implemented by mup.sys in kernel.

When receiving a UNC file request, MUP first saves it in a buffer of the
kernel, which has a size of UNC request length + 0x1000 bytes. Before
sending the request to a redirector, MUP would copy it to the buffer
again, attaching behind the original one. In case that the file request is
longer than 0x1000 bytes, it would overwrite memory data outside of the
buffer. Usually, some management data structure would be stored in the
border of dynamic allocated memory. An attacker might modify arbitrary
kernel memory content by overwriting the data and waiting till the kernel
malloc/free the memory.

Exploiting this vulnerability successfully, a local attacker could obtain
Local SYSTEM or any other privilege. So far as we know from our testing,
it is exploitable on Windows 2000. But the exploit won't always work
because it depends on the kernel to process the overwritten data, which
is beyond human control. With random data, the system might have a blue
screen and reboot. The same vulnerability also exists in Windows NT and
XP, exploitation of which is even more difficult.

What's the scope of the vulnerability?
This is a buffer overrun buffer overflow that results in privilege
elevation vulnerability. If an attacker successfully exploited this
vulnerability, he could gain complete control over the machine. This would
allow him to take any desired action on the machine, such as adding,
deleting, or modifying data on the system, creating or deleting user
accounts, and adding accounts to the local administrators group.

In order to exploit this vulnerability, the attacker would need to be able
to log on locally. This means the attacker would need the ability to log
onto the target machine interactively and run code on the system. By
default, unprivileged users cannot interactively log onto NT4 Domain
Controllers, and if normal security precautions have been taken, the only
machines at risk will be workstations and terminal servers.

What causes the vulnerability?
The vulnerability results because the MUP (Multiple UNC Provider) service
contains an unchecked buffer. By sending an especially malformed request,
it could be possible conduct a buffer overrun attack against an affected
system.

What is UNC?
UNC (Uniform naming convention) is a method of identifying resources such
as share names or files on a network. A typical UNC name begins with two
backslashes followed by a server name:

\\server\share\subdirectory\filename

What is MUP?
The Multiple UNC Provider (MUP) is a Windows service that assists in
locating network resources that are identified via UNC (uniform naming
convention). The MUP receives commands containing UNC names from
applications and sends the name to each registered UNC provider, LAN
Manager workstation, and any others that are installed. When a provider
identifies a UNC name as its own, the MUP automatically redirects future
instances of that name to that provider.

What's wrong with MUP?
When MUP requests a file using the uniform naming convention (UNC), it
will allocate a buffer to store this request. There is proper input
checking on this first buffer. However, MUP stores another copy of the
file request in a buffer when it sends this request to a redirector. This
second copy of the buffer does not check inputs correctly. As a result, it
could be possible for a MUP request to result in a buffer overrun.

What could the attacker do with this vulnerability?
The attacker could use this vulnerability to run code in the context of
the LocalSystem account, that is, as the operating system itself. However,
it is possible the buffer overflow will not always be successful and in
this instance, the attacker could create a denial of service situation by
rebooting the target machine. If the attacker is successful in elevating
privilege to that of LocalSystem, the attacker could take any desired
action on the machine.

How could an attacker exploit this vulnerability?
The attacker would first need the ability to log on to the target machine
with valid user credentials. Once logged in, the attacker would have to be
able to copy a program that calls the MUP service in a way that exploits
the vulnerability.

Could this vulnerability be exploited remotely?
No. The attacker's program would need to run locally on the machine. This
means the attacker would need the ability to log onto the machine
interactively and start the malicious program. This is an important point,
because, if normal security restrictions are observed, unprivileged users
will not be able to log onto critical machines such as domain controllers,
and as a result would be unable to attack them.

What systems would be most at risk?
Workstations and terminal servers are at the greatest risk for this
vulnerability because they let users log on interactively by design.

Why this is harder to exploit on Windows 2000?
The kernel manages the second copy of the buffer which this vulnerability
overflows. The kernel is not externally controllable and therefore
unpredictable. The result would most likely be a system blue screen or
reboot.

What does the patch do?
The patch eliminates the vulnerability by instituting proper input
checking on the MUP service.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:0_28628_E51E4D7D-DECD-43AE-9A29-36080E8D4C3C_US@Newsletters.Microsoft.com> Microsoft.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages