[NT] Workstation Service NetpManageIPCConnect Buffer Overflow



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Workstation Service NetpManageIPCConnect Buffer Overflow
------------------------------------------------------------------------


SUMMARY

A flaw exists in a default Windows component called the "Workstation
Service" that when exploited allows for remote code execution in SYSTEM
context, allowing an attacker to take complete control of affected
systems.

DETAILS

Vulnerable Systems:
* Windows 2000
* Windows XP SP1

Technical Details:
In the Workstation Service module called wkssvc.dll, the
NetpManageIPCConnect function has a call to "swprintf" with an unchecked
buffer. The input buffer is controllable by the remote attacker.

.text:76781D67 mov edi, [ebp+arg_0]
...
.text:76781D90 lea eax, [ebp+var_2CC]
...
.text:76781DA0 push edi
.text:76781DA1 push offset "%ws\\IPC$"
.text:76781DA6 push eax
.text:76781DA7 call ds:swprintf

This function is called by NetpJoinDomain, which is eventually called by
the NetrJoinDomain2 function, which is exposed through RPC.

The IDL for NetrJoinDomain2 looks like this:
long _NetrJoinDomain2@28 (
[in][unique][string] wchar_t * arg_1,
[in][string] wchar_t * arg_2,
[in][unique][string] wchar_t * arg_3,
[in][unique][string] wchar_t * arg_4,
[in][unique] struct_C * arg_5,
[in] long arg_6
);

arg_2 will contain string with format like <Domain name>+"\"+<Hostname>.

will be passed as NetpManageIPCConnect's first argument. The variable is
under the attacker's control and is passed to swprintf, which causes a
stack-based buffer overflow.

For this vulnerable code to be reached, we must provide a valid and live
<Domain name> as a part of the string. We can set up a fake domain server
anywhere reachable from the vulnerable machine on the Internet.

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
<http://www.microsoft.com/technet/security/bulletin/ms06-070.mspx>
http://www.microsoft.com/technet/security/bulletin/ms06-070.mspx


ADDITIONAL INFORMATION

The information has been provided by <mailto:Advisories@xxxxxxxx> eEye
Advisories.
The original article can be found at:
<http://research.eeye.com/html/advisories/published/AD20061114.html>
http://research.eeye.com/html/advisories/published/AD20061114.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [UNIX] SCO Multiple Local Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Local exploitation of a buffer overflow vulnerability in the ppp binary, ... allows attackers to gain root privileges. ...
    (Securiteam)
  • [UNIX] Sun Microsystems Solaris ld.so doprf() Buffer Overflow Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Sun Microsystems Solaris ld.so 'doprf' Buffer Overflow Vulnerability ...
    (Securiteam)
  • [NT] HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow ... Remote exploitation of a buffer overflow vulnerability in an ActiveX ...
    (Securiteam)
  • [EXPL] Ethereal EIGRP Dissector Buffer Overflow Exploit
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... for the EIGRP Dissector buffer overflow is presented below. ... * This vulnerability was found by: ... static int ...
    (Securiteam)
  • [NT] Lhaplus LHA Extended Header Handling Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Lhaplus LHA Extended Header Handling Buffer Overflow ... A vulnerability has been found in Lhaplus. ... This advisory discloses a buffer overflow vulnerability in Lhaplus. ...
    (Securiteam)