Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Windows :: win5246.htm

Multiple UNC Provider (MUP) overlong request kernel overflow
5th Apr 2002 [SBWID-5246]

	Multiple UNC Provider (MUP) overlong request kernel overflow


	 Microsoft Windows NT 4.0

	 Microsoft Windows 2000

	 Microsoft Windows XP



	In    Nsfocus    Security    Team    []     advisory
	[] :

	When applications  in  Microsoft  Windows  NT/2000/XP  system  send  UNC
	request(ie:  \\\\ip\\sharename)to  access  files  on  other  hosts,  the
	operation system would pass the request to be processed by Multiple  UNC
	Provider(MUP).  MUP  passes  the  request  to  several  redirectors  and
	subsequently  select  an  appropriate  redirector  according  to   their
	responds. MUP is implemented by mup.sys in kernel.

	When receiving a UNC file request, MUP first saves it  in  a  buffer  of
	the kernel, which has a size of  UNC  request  length  +  0x1000  bytes.
	Before sending the request to a redirector, MUP would  copy  it  to  the
	buffer again, attaching behind the original one. In case that  the  file
	request is longer than 0x1000 bytes,  it  would  overwrite  memory  data
	outside of the buffer. Usually, some management data structure would  be
	stored in the border of dynamic  allocated  memory.  An  attacker  might
	modify arbitrary kernel memory  content  by  overwriting  the  data  and
	waiting till the kernel malloc/free the memory.

	Exploiting this  vulnerability  successfully,  a  local  attacker  could
	obtain Local SYSTEM or any other priviledge.


	Patches are available at:

	Microsoft Windows NT 4.0:



	Microsoft Windows NT 4.0 Terminal Server Edition:



	Microsoft Windows 2000:



	Microsoft Windows XP:



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH