[NT] Workstation Service NetpManageIPCConnect Buffer Overflow
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 16 Nov 2006 10:45:38 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Workstation Service NetpManageIPCConnect Buffer Overflow
A flaw exists in a default Windows component called the "Workstation
Service" that when exploited allows for remote code execution in SYSTEM
context, allowing an attacker to take complete control of affected
* Windows 2000
* Windows XP SP1
In the Workstation Service module called wkssvc.dll, the
NetpManageIPCConnect function has a call to "swprintf" with an unchecked
buffer. The input buffer is controllable by the remote attacker.
.text:76781D67 mov edi, [ebp+arg_0]
.text:76781D90 lea eax, [ebp+var_2CC]
.text:76781DA0 push edi
.text:76781DA1 push offset "%ws\\IPC$"
.text:76781DA6 push eax
.text:76781DA7 call ds:swprintf
This function is called by NetpJoinDomain, which is eventually called by
the NetrJoinDomain2 function, which is exposed through RPC.
The IDL for NetrJoinDomain2 looks like this:
long _NetrJoinDomain2@28 (
[in][unique][string] wchar_t * arg_1,
[in][string] wchar_t * arg_2,
[in][unique][string] wchar_t * arg_3,
[in][unique][string] wchar_t * arg_4,
[in][unique] struct_C * arg_5,
[in] long arg_6
arg_2 will contain string with format like <Domain name>+"\"+<Hostname>.
will be passed as NetpManageIPCConnect's first argument. The variable is
under the attacker's control and is passed to swprintf, which causes a
stack-based buffer overflow.
For this vulnerable code to be reached, we must provide a valid and live
<Domain name> as a part of the string. We can set up a fake domain server
anywhere reachable from the vulnerable machine on the Internet.
Microsoft has released a patch for this vulnerability. The patch is
The information has been provided by <mailto:Advisories@xxxxxxxx> eEye
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [Full-disclosure] TrustedBSD* all versions FireWire IOCTL kernel integer overflow information disclousure
- Next by Date: [NT] Selenium FTP Server Directory Traversal
- Previous by thread: [Full-disclosure] TrustedBSD* all versions FireWire IOCTL kernel integer overflow information disclousure
- Next by thread: [NT] Selenium FTP Server Directory Traversal