[VulnWatch] [EEYEB20050803] - Windows UMPNPMGR wsprintfW Stack Buffer Overflow Vulnerability

Date: 10/11/05

  • Next message: Steve Manzuik: "[VulnWatch] OOO Troll - Ignore"
    Date: Tue, 11 Oct 2005 12:05:50 -0700
    To: <bugtraq@securityfocus.com>, <full-disclosur@lists.grok.org.uk>, <vulnwatch@vulnwatch.org>, <ntbugtraq@ntbugtraq.com>

    Windows UMPNPMGR wsprintfW Stack Buffer Overflow Vulnerability

    Release Date:
    October 11, 2005

    Date Reported:
    August 3, 2005

    High (Remote Code Execution with Authentication)
    Medium (Privilege Escalation to SYSTEM)


    Systems Affected:
    Windows NT 4.0
    Windows 2000
    Windows XP

    eEye ID #: EEYEB20050803
    OSVDB #: 18830
    CVE #: CAN-2005-2120

    eEye Digital Security has discovered a vulnerability in the Windows Plug
    and Play Service that would allow an unprivileged user to execute
    arbitrary code with SYSTEM privileges on a remote Windows 2000 or XP SP1
    system. On Windows XP SP2, this vulnerability could be exploited by an
    unprivileged user to gain full privileges on a system to which he is
    logged in interactively.

    This vulnerability is unrelated to the MS05-039 Plug and Play
    vulnerability, and is not resolved by the MS05-039 hotfix. We reported
    this vulnerability to Microsoft roughly a week before the MS05-039 patch
    was released, but they neglected to address the vulnerability in spite
    of our warnings. However, generic security measures instituted in the
    patch now prevent its anonymous exploitation, making the eminent threat
    an internal attack or mass compromise in a domain setting.

    Technical Details:
    UMPNPMGR.DLL hosts the Plug and Play or "PlugPlay" service, which
    provides an RPC interface for accessing device management and
    notification functionality. The service is default on Windows NT 4.0
    and later, and in fact, support for it is hard-coded into the Service
    Control Manager in SERVICES.EXE. Due to its central importance, the
    service cannot be stopped once started, and attempting to disable it
    runs a high risk of rendering the system unusable.

    The code for UMPNPMGR contains a number of calls to wsprintfW to
    construct various formatted strings in stack buffers, and in two cases
    the user input is only validated by whether or not it corresponds to an
    existent subkey of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum.
    Although this registry branch is protected from unprivileged
    modification, the assumption that any valid key name is safe can
    nevertheless be circumvented by supplying arbitrary lengths of
    consecutive backslashes; for example, "HTREE\ROOT\\\\0\\\\\\\\".

    The functions PNP_GetDeviceList (opnum 10) and PNP_GetDeviceListSize
    (opnum 11), on the UMPNPMGR interface
    {8D9F4E40-A03D-11CE-8F69-08003E30051B}, both exhibit this vulnerability.
    For the former, any valid subkey name may be passed in order to reach a
    vulnerable wsprintfW call, whereas the latter must receive a key name
    with an empty second (e.g., "HTREE\\ROOT\0") or third ("HTREE\ROOT\\0")
    component in order to reach a vulnerable wsprintfW call within
    GetDeviceInstanceListSize, due to the way SplitDeviceInstanceString
    tokenizes the string.

    On Windows 2000 and earlier, the UMPNPMGR interface may be reached
    without authentication via the \PIPE\browser, \PIPE\srvsvc, and
    \PIPE\wkssvc named pipe RPC endpoints. Windows XP and later has
    migrated many services into host processes, so the few named-pipe
    endpoints over which UMPNPMGR may be reached (e.g., \PIPE\ntsvcs and
    \PIPE\scerpc) require authentication.

    This vulnerability was fixed in Windows 2003 by replacing the unsafe
    wsprintfW calls with calls to _vsnwprintf; why this security fix was not
    ported to any other operating system is unclear.

    Retina, Network Security Scanner, has been updated to be able to
    identify this vulnerability.
    For more information on Retina visit: http://www.eEye.com/Retina

    Blink, Endpoint Vulnerability Prevention, already provides protection
    from attacks based on this vulnerability.
    For more information on Blink visit: http://www.eEye.com/Blink

    Vendor Status:
    For Windows 2000 and XP customers, Microsoft has released a patch for
    this vulnerability. The patch is available at:

    Microsoft will not be releasing a public Windows NT 4.0 patch due to the
    platform's non-supported status. eEye customers with Blink installed on
    NT 4.0 systems are protected from these attacks regardless of patch
    level, with zero impact to system or application functionality.

    Derek Soeder

    Neel, for the better find. =] Dale, BK, DA, Dr. Claw, F2, JE, RH, NR,
    YW. F&MQB. Jussi, Solar, the DC staff, and the Samoan Shellcoder.
    Mike Reavey, Jason Garms, and Writing Secure Code, 3rd Edition.

    Copyright (c) 1998-2005 eEye Digital Security
    Permission is hereby granted for the redistribution of this alert
    electronically. It is not to be edited in any way without express
    consent of eEye. If you wish to reprint the whole or any part of this
    alert in any other medium excluding electronic medium, please email
    alert@eEye.com for permission.

    The information within this paper may change without notice. Use of this
    information constitutes acceptance for use in an AS IS condition. There
    are no warranties, implied or express, with regard to this information.
    In no event shall the author be liable for any direct or indirect
    damages whatsoever arising out of or in connection with the use or
    spread of this information. Any use of this information is at the
    user's own risk.

  • Next message: Steve Manzuik: "[VulnWatch] OOO Troll - Ignore"

    Relevant Pages

    • SecurityFocus Microsoft Newsletter #163
      ... MICROSOFT VULNERABILITY SUMMARY ... Bugzilla Javascript Buglists Remote Information Disclosure V... ... Microsoft Internet Explorer DHTML Drag and Drop Local File S... ... Microsoft Windows Workstation Service Remote Buffer Overflow... ...
    • SecurityFocus Microsoft Newsletter #176
      ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
    • SecurityFocus Microsoft Newsletter #158
      ... Gamespy 3d IRC Client Remote Buffer Overflow Vulnerability ... Microsoft Windows PostThreadMessage() Arbitrary Process Kill... ...
    • SecurityFocus Microsoft Newsletter #123
      ... Spooked about Windows security? ... Rediff Bol URL Handling Denial Of Service Vulnerability ... Finjan SurfinGate File Extension File Filter Circumvention... ... MIT Kerberos Key Distribution Center Remote Format String... ...
    • [EEYEB20050803] - Windows UMPNPMGR wsprintfW Stack Buffer Overflow Vulnerability
      ... Windows UMPNPMGR wsprintfW Stack Buffer Overflow Vulnerability ...