[VulnWatch] Microsoft NetDDE Service Unauthenticated Remote Buffer Overflow

From: NGSSoftware Insight Security Research (nisr_at_nextgenss.com)
Date: 01/21/05

  • Next message: iDefense Customer Service: "[VulnWatch] iDEFENSE Security Advisory 01.24.05: DataRescue Interactive Disassembler Pro Buffer Overflow Vulnerability"
    To: <bugtraq@securityfocus.com>, <ntbugtraq@listserv.ntbugtraq.com>, <vulnwatch@vulnwatch.org>
    Date: Fri, 21 Jan 2005 15:16:54 -0000
    
    

    NGSSoftware Insight Security Research Advisory

    Name: Microsoft NetDDE Service Unauthenticated Remote Buffer Overflow
    Systems Affected: Microsoft Windows NT/2000/XP/2003 Server
    Severity: High
    Vendor URL: http://www.microsoft.com/
    Author: John Heasman [ john@ngssoftware.com ]
    Date of Public Advisory: 21st January 2005
    Advisory number: #NISR21012005
    Advisory URL: http://www.ngssoftware.com/advisories/netddefull.txt

    Description
    ***********

    A vulnerability has been discovered in the Microsoft NetDDE service
    which can allow a remote attacker to execute arbitrary code on a system
    without authentication.

    This vulnerability can also be used by any low privileged local user to
    gain Local System privileges.

    The NetDDE (Network Dynamic Data Exchange) services are designed to be
    used by network applications as a method of interprocess communication.
    NetDDE achieves this by allowing individual applications to create and
    maintain machine resource shares, through which data is dynamically
    exchanged. When a new share is created, the NetDDE DSDM (DDE Share
    Database Manager) service is used to store the share information.

    To control access to the DDE shares which have been created, NetDDE
    exports a set of functions which can be used to grant 'trusted' status
    to a particular share. Only the user who has created the share can grant
    trusted status to the share, and without a user granting trusted status
    to the share it is not possible for a NetDDE client to exchange data
    with the application using that share.

    It is in the code which is designed to set trusted status to a share
    that the vulnerability can be found.

    Details
    *******

    The function exported by NetDDE to grant trusted status to a share is as
    follows:

    UINT NDdeSetTrustedShare(
    ~ LPTSTR lpszServer,
    ~ LPTSTR lpszShareName,
    ~ DWORD dwTrustOptions
    );

    The first parameter, lpszServer, specifies the name of the server on
    which the NetDDE and DSDM service reside. The second parameter,
    lpszShareName, is the name of the share which is to gain the trusted
    status. The third parameter, dwTrustOptions, describes the operation (or
    level of trust) which is to be performed upon the share.

    NetDDE maintains a list of trusted shares in the system registry which
    is modified upon the successful execution of a 'set trusted share'
    request. When attempting to construct an absolute registry path upon
    which to operate, the lpszShareName string value is concatenated onto
    the trusted share root path into a stack based buffer. Since no boundary
    checking is performed during this operation, it is a trivial matter to
    overflow this buffer and overwrite an arbitrary quantity of the stack -
    including the saved return address.

    When observing a NDdeSetTrustedShare() function call being made to a
    remote NetDDE server, it can be seen that the call will fail unless an
    authenticated session has already been established with the target
    machine - by default a null session is not sufficient.

    During further research of the vulnerability, we observed that there was
    a difference in the network interactions between an application
    communicating with a NetDDE server, and two NetDDE servers communicating
    with each other. We discovered that when two NetDDE servers needed to
    communicate, NetBIOS, instead of SMB was the means of transport for the
    data which was to be passed over the network. Furthermore, all that was
    required for the two NetDDE services to establish communication in this
    fashion was a NetBIOS session setup request.

    Further investigation showed that an attacker could simply interact
    with the vulnerable function over NetBIOS in this fashion without first
    needing to successfully complete the authentication stage necessary to
    communicate with the NetDDE named pipe. Communicating directly in this
    manner grants the attacker remote, unauthenticated access to the
    vulnerable function.

    Fix Information
    ***************

    Microsoft have released an update for NetDDE which addresses this issue.
    This can be downloaded from:

    http://www.microsoft.com/technet/security/bulletin/MS04-031.mspx

    A check for this vulnerability has been added to Typhon III,
    NGSSoftware's advanced vulnerability assessment scanner. For more
    information please visit the NGSSoftware website at
    http://www.ngssoftware.com/

    About NGSSoftware
    *****************

    NGSSoftware design, research and develop intelligent, advanced
    application security assessment scanners. Based in the United Kingdom,
    NGSSoftware have offices in the South of London and the East Coast of
    Scotland.

    NGSSoftware's sister company NGSConsulting, offers best of breed
    security consulting services, specialising in application, host and
    network security assessments.

    http://www.ngssoftware.com/

    Telephone +44 208 401 0070
    Fax +44 208 401 0076

    enquiries@ngssoftware.com


  • Next message: iDefense Customer Service: "[VulnWatch] iDEFENSE Security Advisory 01.24.05: DataRescue Interactive Disassembler Pro Buffer Overflow Vulnerability"