[NT] ntdll.dll Buffer Overflow Vulnerability (Local)

• Previous message: SecuriTeam: "[EXPL] IIS WebDAV Exploit New Release"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 2 Jun 2003 20:41:44 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  ntdll.dll Buffer Overflow Vulnerability (Local)
------------------------------------------------------------------------

SUMMARY

A buffer overflow vulnerability is in the function 'RtlGetFullPathName_U'
which belongs to the 'ntdll.dll' and is called from some APIs or etc.

This function uses 16 bits integer (unsigned short) to handle the given
string's length inside. In addition, it cannot get the given string's
correct length if it was called with a string that has the size over 65536
bytes (exceeding size of the maximum of the 16 bits integer). Then it
causes the overflow on the given buffer.

As a result, if an attacker made some programs or services that is able to
call the 'RtlGetFullPathName_U' with a string which has the size over
65536 bytes, it is possible for him to execute arbitrary codes or escalate
his privilege.

DETAILS

Vulnerable systems:
 * ntdll.dll version 5.1.2600.1106

Immune systems:
 * ntdll.dll version 5.1.2600.1217

Solution:
Apply the patch (Hotfix of 'Q815021') that is provided by the vendor for
the Security Bulletin MS03-007.

 <http://www.microsoft.com/technet/security/bulletin/ms03-007.asp>
http://www.microsoft.com/technet/security/bulletin/ms03-007.asp

Vendor status:
2003-05-28 The vendor released the patch for Windows XP, and they added
this vulnerability's information to the Security Bulletin MS03-007.

Technical Details:
'RtlGetFullPathName_U' of 'ntdll.dll' is a function for getting the
complete path. This function is given the string (path) and the buffer,
the buffer's size, and it returns the complete path by writing the
complete path on the given buffer. And This function is called from a
Windows API like 'GetFullPathNameW' or etc. The buffer overflow
vulnerability this function contains is caused by following reasons;

'RtlGetFullPathName_U' handles the given string (path) using
'UNICODE_STRING' structure inside. This structure keeps the string's
length as 16 bits integer (unsigned short) by its specification. And the
function 'RtlInitUnicodeString' truncates the string's length to 16 bits
integer and put it in this structure if the given string's length is over
65536 bytes (32768 characters).

'RtlGetFullPathName_U' can write the longer data than the given buffer's
length on that buffer because it trusts the given string's length that is
shorter than the actual length that is returned by 'RtlInitUnicodeString',
and then the buffer overflow would occurs.

If it were given an allocated buffer on the stack, the stack based buffer
overflow would occurs.

Remarks:
This vulnerability differs from the known Security Bulletin 'MS03-007'.
The known 'MS03-007' problem was caused by 'RtlDosPathNameToNtPathName_U'.
However, it can be said that these are similar vulnerabilities for both of
these has same fundamental causes. Both are cause by trusting the string
size which is acquired by 'UNICODE_STRING' structure and
'RtlInitUnicodeString' function that cannot handle the string length over
16 bits.

In addition, although this vulnerability had also existed in Windows 2000,
it was solved by the patch (Q815021 for Windows 2000) that has been
already provided by the vendor.

Sample code:
This is the example of a vulnerable program that causes the buffer
overflow by this vulnerability. This is not a exploit code.

'GetFullPathNameW' is a vulnerable API that calls 'RtlGetFullPathName_U'
in its inside.

  //------------------------------------------------------
  #include <windows.h>
  #include <stdio.h>

  void vuln_func(wchar_t *long_string)
  {
      wchar_t *tmp_wc;
      wchar_t buffer[0x100*2];

      printf("ready ... \n");

      //
      // about 'GetFullPathName'
      //
http://msdn.microsoft.com/library/en-us/fileio/base/getfullpathname.asp
      //
      // RtlGetFullPathName_U is called from GetFullPathNameW.
      //

      GetFullPathNameW(long_string, 0x100, buffer, &tmp_wc);

      // No return here.
      printf("returned\n");
  }

  const int vuln_length = 0x8008; // 0xFFFF & (0x8008*2) == 0x10

  int main()
  {
      wchar_t *p = new wchar_t[vuln_length + 32];

      memset(p, 0x90, vuln_length*sizeof(wchar_t));
      p[vuln_length] = 0;

      vuln_func(p);

      delete[] p;
      return 0;
  }
  //--------------------------------------------------------

Time table:
2003-04-20 Discovered this vulnerability.
2003-04-24 Reported to 'Microsoft Security Response Center' of the vendor.
2003-04-24 Got the reply from the vendor.
2003-05-08 Asked the status to the vendor.
2003-05-13 Got the reply from the vendor.
2003-05-28 The vendor released the patch and the information.
2003-05-30 Released this advisory.

ADDITIONAL INFORMATION

Technical References:
[1] "MSDN Library - UNICODE_STRING"
<http://msdn.microsoft.com/library/en-us/kmarch/hh/kmarch/k112_401e.asp>
http://msdn.microsoft.com/library/en-us/kmarch/hh/kmarch/k112_401e.asp

[2] "MSDN Library - RtlInitUnicodeString"
<http://msdn.microsoft.com/library/en-us/kmarch/hh/kmarch/k109_6x4i.asp>
http://msdn.microsoft.com/library/en-us/kmarch/hh/kmarch/k109_6x4i.asp

References:
[1] Microsoft Security Bulletin MS03-007 "Unchecked Buffer In Windows
Component Could Cause Server Compromise (815021)"
<http://www.microsoft.com/technet/security/bulletin/MS03-007.asp>
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp

The information has been provided by <mailto:nesumin@softhome.net> ::
Operash ::.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[EXPL] IIS WebDAV Exploit New Release"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]