[NT] Plug and Play Vulnerability Allows Remote Code Execution and Local Elevation of Privilege (MS05-047)

From: SecuriTeam (support_at_securiteam.com)
Date: 10/12/05

  • Next message: SecuriTeam: "[NT] Vulnerability in the Client Service for NetWare Allows Remote Code Execution (MS05-046)"
    To: list@securiteam.com
    Date: 12 Oct 2005 09:53:28 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Plug and Play Vulnerability Allows Remote Code Execution and Local
    Elevation of Privilege (MS05-047)
    ------------------------------------------------------------------------

    SUMMARY

    A remote code execution and local elevation of privilege vulnerability
    exists in Plug and Play that could allow an authenticated attacker who
    successfully exploited this vulnerability to take complete control of the
    affected system.

    DETAILS

    Affected Software:
     * Microsoft Windows 2000 Service Pack 4 -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=FFDB8AB7-F979-41B4-9625-EA51CD503258> Download the update
     * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service
    Pack 2 -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=1559E44A-DDEE-4C86-BF02-A6C3B9BEEE0C> Download the update

    Non-Affected Software:
     * Microsoft Windows XP Professional x64 Edition
     * Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service
    Pack 1
     * Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft
    Windows Server 2003 with SP1 for Itanium-based Systems
     * Microsoft Windows Server 2003 x64 Edition
     * Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
    Microsoft Windows Millennium Edition (ME)

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2120>
    CAN-2005-2120

    Mitigating Factors for Plug and Play Vulnerability:
     * On Windows XP Service Pack 2 an attacker must have valid logon
    credentials and be able to log on locally to exploit this vulnerability.
    The vulnerability could not be exploited remotely by anonymous users or by
    users who have standard user accounts. However, the affected component is
    available remotely to users who have administrative permissions.

     * On Windows 2000 and Windows XP Service Pack 1 an attacker must have
    valid logon credentials to try to exploit this vulnerability. The
    vulnerability could not be exploited remotely by anonymous users. However,
    the affected component is available remotely to users who have standard
    user accounts. In certain configurations, anonymous users could
    authenticate as the Guest account. For more information, see Microsoft
    Security Advisory
    <http://www.microsoft.com/technet/security/advisory/906574.mspx> 906574.

    Note If the security updates that are provided by Microsoft Security
    Bulletin
    <http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx>
    MS05-039 have not been installed on Windows 2000, this issue could be
    exploited remotely by anonymous users. . If these security updates have
    been installed, this issue is restricted to authenticated users on Windows
    2000. On Windows XP Service Pack 1, this issue is restricted to
    authenticated users, even without the security updates that are provided
    by <http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx>
    MS05-039.

     * Firewall best practices and standard default firewall configurations
    can help protect networks from attacks that originate outside the
    enterprise perimeter. Best practices recommend that systems that are
    connected to the Internet have a minimal number of ports exposed.

    Workarounds for Plug and Play Vulnerability:
    Microsoft has tested the following workarounds. While these workarounds
    will not correct the underlying vulnerability, they help block known
    attack vectors. When a workaround reduces functionality, it is identified
    in the following section.

    Note Other protocols, such as Internetwork Packet Exchange (IPX) and
    Sequenced Packet Exchange (SPX), could be vulnerable to this issue. If you
    are using vulnerable protocols such as IPX and SPX, you should block the
    appropriate ports for those protocols. For more information about IPX and
    SPX, visit the following Microsoft Web site.

    Note As mentioned in the "Mitigating Factors" section, Windows XP Service
    Pack 2 is vulnerable to this issue primarily from an attacker who is
    logged on locally. The following workarounds are designed primarily for
    earlier operating system versions that are vulnerable to network-based
    attacks.

     * Block TCP ports 139 and 445 at the firewall:

    These ports are used to initiate a connection with the affected protocol.
    Blocking them at the firewall, both inbound and outbound, will help
    prevent systems that are behind that firewall from attempts to exploit
    this vulnerability. We recommend that you block all unsolicited inbound
    communication from the Internet to help prevent attacks that may use other
    ports. For more information about ports, visit the following Web site.

     * To help protect from network-based attempts to exploit this
    vulnerability, use a personal firewall, such as the Internet Connection
    Firewall, which is included with Windows XP Service Pack 1.

    By default, the Internet Connection Firewall feature in Windows XP Service
    Pack 1 helps protect your Internet connection by blocking unsolicited
    incoming traffic. We recommend that you block all unsolicited incoming
    communication from the Internet.

    To enable the Internet Connection Firewall feature by using the Network
    Setup Wizard, follow these steps:

    1. Click Start, and then click Control Panel.
    2. In the default Category View, click Network and Internet Connections,
    and then click Setup or change your home or small office network. The
    Internet Connection Firewall feature is enabled when you select a
    configuration in the Network Setup Wizard that indicates that your system
    is connected directly to the Internet.

    To configure Internet Connection Firewall manually for a connection,
    follow these steps:

    1. Click Start, and then click Control Panel.
    2. In the default Category View, click Networking and Internet
    Connections, and then click Network Connections.
    3. Right-click the connection on which you want to enable Internet
    Connection Firewall, and then click Properties.
    4. Click the Advanced tab.
    5. Click to select the Protect my computer or network by limiting or
    preventing access to this computer from the Internet check box, and then
    click OK.

    Note If you want to enable certain programs and services to communicate
    through the firewall, click Settings on the Advanced tab, and then select
    the programs, the protocols, and the services that are required.

     * To help protect from network-based attempts to exploit this
    vulnerability, enable advanced TCP/IP filtering on systems that support
    this feature.

    You can enable advanced TCP/IP filtering to block all unsolicited inbound
    traffic. For more information about how to configure TCP/IP filtering, see
    Microsoft Knowledge Base Article <http://support.microsoft.com/kb/309798>
    309798.

     * To help protect from network-based attempts to exploit this
    vulnerability, block the affected ports by using IPsec on the affected
    systems.

    Use Internet Protocol security (IPsec) to help protect network
    communications. Detailed information about IPsec and about how to apply
    filters is available in Microsoft Knowledge Base Article
    <http://support.microsoft.com/kb/313190> 313190 and Microsoft Knowledge
    Base Article <http://support.microsoft.com/kb/813878> 813878.

    What is the scope of the vulnerability?
    This is a remote code execution and local privilege elevation
    vulnerability. On Windows 2000 and Windows XP Service Pack 1, an
    authenticated user could remotely try to exploit this vulnerability. On
    Windows XP Service Pack 2, only an administrator can remotely access the
    affected component. Therefore, on Windows XP Service Pack 2, this is
    strictly a local privilege elevation vulnerability. An anonymous user
    cannot remotely attempt to exploit this vulnerability on Windows XP
    Service Pack 2.

    An attacker who successfully exploited this vulnerability could take
    complete control of an affected system. An attacker could then install
    programs; view, change, or delete data; or create new accounts with full
    user rights.

    What causes the vulnerability?
    The process that Plug and Play uses to validate user supplied data.

    What is Plug and Play?
    Plug and Play (PnP) allows the operating system to detect new hardware
    when you install it on a system. For example, when you install a new mouse
    on your system, PnP allows Windows to detect it, allows Windows to load
    the needed drivers, and allows Windows to begin using the new mouse.

    What might an attacker use the vulnerability to do?
    An authenticated attacker who successfully exploited this vulnerability
    could take complete control of the affected system.

    How could an attacker exploit the vulnerability?
    On Windows 2000 and Windows XP Service Pack 1, an authenticated attacker
    could try to exploit the vulnerability by creating a specially crafted
    network message and sending the message to an affected system. The message
    could then cause the affected system to execute code. In certain Windows
    XP configurations, anonymous users could authenticate as the Guest
    account. For more information, see Microsoft Security Advisory
    <http://www.microsoft.com/technet/security/advisory/906574.mspx> 906574.
    To try to exploit this vulnerability on Windows XP Service Pack 2, an
    attacker must be able to log on locally to a system and could then run a
    specially crafted application.

    What systems are primarily at risk from the vulnerability?
    Windows 2000 and Windows XP Service Pack 1 systems are primarily at risk
    from this vulnerability. On Windows 2000, Windows XP Service Pack 1, and
    Windows XP Service Pack 2 an attacker must have valid logon credentials to
    exploit this vulnerability. The vulnerability could not be exploited
    remotely by anonymous users on Windows 2000, Windows XP Service Pack 1,
    and Windows XP Service Pack 2.

    Note If the security updates that are provided by Microsoft Security
    Bulletin
    <http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx>
    MS05-039 have not been installed on Windows 2000, this issue could be
    exploited remotely by anonymous users. . If these security updates have
    been installed, this issue is restricted to authenticated users on Windows
    2000. On Windows XP Service Pack 1, this issue is restricted to
    authenticated users, even without the security updates that are provided
    by <http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx>
    MS05-039.

    Could the vulnerability be exploited over the Internet?
    Not in most cases. An attacker must be able to log on to the specific
    system that is targeted for attack. Firewall best practices and standard
    default firewall configurations can help protect against attacks that
    originate from the Internet. Microsoft has provided information about how
    you can help protect your PC. End users can visit the Protect Your PC Web
    site. IT professionals can visit the Security Guidance Center Web site. On
    Windows XP Service Pack 2, an attacker must be able to log on to the
    specific system that is targeted for attack. An anonymous attacker cannot
    load and run a program remotely by using this vulnerability.

    What does the update do?
    The update removes the vulnerability by modifying the way that the Plug
    and Play service validates the length of a message before it passes the
    message to the allocated buffer.

    When this security bulletin was issued, had this vulnerability been
    publicly disclosed?
    No. Microsoft received information about this vulnerability through
    responsible disclosure. Microsoft had not received any information to
    indicate that this vulnerability had been publicly disclosed when this
    security bulletin was originally issued.

    When this security bulletin was issued, had Microsoft received any reports
    that this vulnerability was being exploited?
    No. Microsoft had not received any information to indicate that this
    vulnerability had been publicly used to attack customers and had not seen
    any examples of proof of concept code published when this security
    bulletin was originally issued.

    How does this vulnerability relate to the Plug and Play Vulnerability that
    is corrected by MS05-039?
    Both vulnerabilities affect the Plug and Play component. However, this
    update addresses a new vulnerability that was not addressed as part of
    MS05-039. MS05-039 helps protect against the vulnerability that is
    discussed in that bulletin, but does not address this new vulnerability.
    This update does replace MS05-039. You can install this update to help
    protect your system against both vulnerabilities.

    ADDITIONAL INFORMATION

    The information has been provided by Microsoft Product Security.
    The original article can be found at:
    <http://www.microsoft.com/technet/security/bulletin/MS05-047.mspx>
    http://www.microsoft.com/technet/security/bulletin/MS05-047.mspx

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Vulnerability in the Client Service for NetWare Allows Remote Code Execution (MS05-046)"

    Relevant Pages

    • SecurityFocus Microsoft Newsletter #61
      ... Cisco 12000 Series Internet Router Denial Of Service Vulnerability ... Microsoft Windows 2000 RunAs Service Named Pipe Hijacking... ... Reach the LARGEST audience of security professionals with SecurityFocus ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #176
      ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #242
      ... MICROSOFT VULNERABILITY SUMMARY ... PostNuke Blocks Module Directory Traversal Vulnerability ... Groove Networks Groove Virtual Office COM Object Security By... ... The Microsoft Windows IPV6 TCP/IP stack is prone to a "loopback" condition initiated by sending a TCP packet with the "SYN" flag set and the source address and port spoofed to equal the destination source and port. ...
      (Focus-Microsoft)
    • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
      ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
      (Securiteam)
    • [NT] Korean Input Method Editor Privileges Elevation (MS06-009)
      ... Get your security news from a reliable source. ... vulnerability exists in the Windows and Office Korean Input Method Editor ... Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ... If Remote Desktop is manually enabled, ...
      (Securiteam)