[NT] Unchecked Buffer in Windows Redirector Could Allow Privilege Elevation

From: support@securiteam.com
Date: 02/06/03

  • Next message: support@securiteam.com: "[TOOL] Resources for Combating the Slammer Worm" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 6 Feb 2003 21:06:30 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Unchecked Buffer in Windows Redirector Could Allow Privilege Elevation
    ------------------------------------------------------------------------

    SUMMARY

    The Windows Redirector is used by a Windows client to access files,
    whether local or remote, regardless of the underlying network protocols in
    use. For example, the "Add a Network Place" Wizard or the NET USE command
    can be used to map a network share as a local drive, and the Windows
    Redirector will handle the routing of information to and from the network
    share.

    A security vulnerability exists in the implementation of the Windows
    Redirector on Windows XP because an unchecked buffer is used to receive
    parameter information. By providing malformed data to the Windows
    Redirector, an attacker could cause the system to fail, or if the data was
    crafted in a particular way, could run code of the attacker's choice.

    DETAILS

    Affected Software:
     * Microsoft Windows XP

    Mitigating factors:
     * An attacker would require the ability to log onto the system
    interactively in order to run programs that use the Windows Redirector.
    This vulnerability cannot be exploited remotely.
     * Windows XP systems that are not shared between users would not be at
    risk.

    Patch availability:
    Download locations for this patch
     * Windows XP:
       *
    <http://microsoft.com/downloads/details.aspx?FamilyId=33DABD1F-505E-48ED-B9BD-CDAC0F8A2BC1&displaylang=en-bit Edition
       *
    <http://microsoft.com/downloads/details.aspx?FamilyId=A2258F4E-9A69-4537-9469-0DDEB4BB76F8&displaylang=en-bit Edition

    What's the scope of the vulnerability?
    This is a buffer-overrun vulnerability. An attacker who successfully
    exploited this vulnerability could cause the system to fail, or could
    cause code of the attacker's choice to be executed with system privileges.
    Code running with system privileges could provide the attacker with the
    ability to take any desired action on the machine, such as adding,
    deleting, or modifying data on the system, and creating or deleting user
    accounts.

    The vulnerability could only be exploited by an attacker who had valid
    credentials to interactively log onto the computer.

    What causes the vulnerability?
    The vulnerability results because of an unchecked buffer in the Windows
    Redirector function on Windows XP.

    What is the Windows Redirector?
    The Windows Redirector is a component of Windows XP that is used by a
    Windows client to access files, whether local or remote, regardless of the
    underlying network protocols in use. For example, the "Add a Network
    Place" Wizard or the NET USE command can be used to map a network share as
    a local drive, and the Windows Redirector will handle the routing of
    information to and from the network share.

    What's wrong with the Windows Redirector?
    There is a flaw in the way the Windows Redirector command handles the
    information passed to it. If an overly long parameter were passed to the
    Windows Redirector, it could overrun the buffer allocated for receiving
    the information.

    What could this vulnerability enable an attacker to do?
    This vulnerability could enable an attacker to cause Windows XP to fail,
    or to run code of the attacker's choice with additional privileges on the
    system.

    How could an attacker exploit this vulnerability?
    An attacker could seek to exploit this vulnerability by logging on to a
    Windows XP and running a program that called the Windows Redirector and
    provided especially malformed parameter information. For example, the
    attacker could write a program to make the call, or could use a program
    such as NET USE that employs the Windows Redirector. If the malformed
    parameter information were particularly crafted, it could be possible to
    execute code of the attacker's choosing with system privileges.

    What is the NET USE command used for?
    The NET USE command is used to connect a computer to, or disconnect from,
    a shared network resource. NET USE can also display information about a
    computer's current connections.

    For example, if a directory were shared as DirA from a computer named
    ComputerA the following NET USE command would map the shared directory to
    the N: drive.

    NET USE N: \\ComputerA\DirA

    The NET USE command can only be run in a Command Prompt window, invoked by
    Start | Run, or as part of a batch file.

    Could this vulnerability be exploited remotely?
    No, calls to the Windows Redirector may only be made locally. As a result,
    an attacker would need to log on to the system using an interactive logon
    in order to attempt to exploit this vulnerability.

    What systems would be at greatest risk from this vulnerability?
    Only Windows XP workstations that would allow an attacker to log on
    interactively would be affected by this vulnerability. A Windows XP system
    that was not shared with other users would not be able to be attacked
    using this vulnerability.

    Could I accidentally make the system fail because of this vulnerability?
    No. The especially malformed parameter data that would need to be passed
    to the Windows Redirector could not be provided by accident.

    What does the patch do?
    The patch addresses the vulnerability by correctly handling the parameter
    information passed to the Windows Redirector.

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:0_43313_E51E4D7D-DECD-43AE-9A29-36080E8D4C3C_US at
    Newsletters.Microsoft.com> Microsoft Product Security.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages