Windows Workstation Service Remote Buffer Overflow

Release Date:
November 11, 2003

Date Reported:
September 15, 2003

Severity:
High (Remote Code Execution)

Systems Affected:
Windows 2000
Windows XP

Description:
eEye Digital Security has discovered a remote buffer overflow in the
Windows Workstation Service (WKSSVC.DLL). An unauthenticated attacker
could exploit this vulnerability to execute arbitrary code with
system-level privileges on Windows 2000 and Windows XP machines. The
susceptible Workstation functionality is accessible via the WKSSVC named
pipe (TCP ports 139 and 445).

This buffer overflow bug is within network management functions provided
by the DCE/RPC service. These functions provide the ability to manage
user accounts and network resources locally and remotely. Some network
management functions generate a debug log file in the "debug"
subdirectory located in the Windows directory.

A logging function implemented in WKSSVC.DLL is called to write entries
to the log file.  In this function, the vsprintf() routine is used to
create a log entry.  The string arguments for this logging function are
supplied as parameters to vsprintf() without any bounds checking, so if
we can pass a long string argument to the logging function, then a
buffer overflow will occur.

We found some RPC functions which will accept a long string as a
parameter, and will attempt to write it to the debug log file.  If we
specify a long string as a parameter to these RPC functions, a
stack-based buffer overflow will happen in the Workstation service on
the remote system. Attackers who successfully leverage this
vulnerability will be executing code under the SYSTEM context of the
remote host.

Technical Description:
The buffer overflow bug is in a logging function which generates a
string for the log file using vsprintf().  The name of the log file is
"NetSetup.LOG", and it is located in the Windows "debug" directory.

This logging routine is called from some functions which handle commands
for the Workstation service, such as "NetValidateName", "NetJoinDomain",
etc.  In the case of NetValidateName(), the "computer name" specified as
the second argument is eventually recorded in the log file.

For example, if we use NetValidateName() API as follows:

    NetValidateName(L"\\\\192.168.0.100","AAAAAAAA",NULL,NULL,0);

then we can confirm the following log entry on the remote host
"192.168.0.100":

    08/13 13:01:01 NetpValidateName: checking to see if '' is valid as
type 0 name
    08/13 13:01:01 NetpValidateName: '' is not a valid NetBIOS
\\AAAAAAAA name: 0x57

If we specify a long string as the second argument to the
NetValidateName() API, a buffer overflow happens on the specified host
if the debug file is writeable.

Generally, the "debug" subdirectory in the Windows directory is not
writeable by everyone if the drive is formatted as NTFS, which means
that we cannot append to the log using a null session.  The
WsImpersonateClient() API is called before opening the log file, and if
the connected client does not have the privilege to write to the log
file, then CreateFile() will fail, and the vulnerable call to vsprintf()
is not performed.  So, in this case, we can exploit FAT32 systems (which
do not support ACLs on directories), or systems where the
"%SYSTEMROOT%\debug" directory is writeable by everyone.

However, there are some extended RPC functions implemented in Windows XP
which open the logfile before calling WsImpersonateClient().  They are
undocumented RPC functions, but we can observe them in the function
table in WKSSVC.DLL.  The RPC numbers for these extended commands start
at 0x1B; for example, function 0x1B invokes the NetpManageComputers()
API internally, which does not call WsImpersonateClient() before opening
the log file.

The usage of NetpManageComputers() is not published; however, we found
the prototype definition of the NetAddAlternateComputerName() API in
"LMJoin.h", which calls NetpManageComputers() internally.  This API is
exported from NETAPI32.DLL. This API is also undocumented.  We can
generate the packet to execute this RPC function (number 0x1B) using the
API as follows:


NetAddAlternateComputerName(L"\\\\192.168.0.200",long_unicode_string,NULL
,NULL,0);

We do not need special privileges to write the second argument into the
log file on the remote host.  If we specify a long Unicode string as the
second argument ("AlternateName"), the remote system specified in the
first argument will crash due to a buffer overflow.  The Unicode string
"long_unicode_string" will be translated into an ASCII string before the
logging function is called.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.

Vendor Status:
Microsoft has released a patch for these vulnerabilities.  The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS03-049.asp

Credit:
Yuji Ukai

Greetings:
All AD200X attendees, speakers, volunteers, and members.

Related Links:
Retina Network Security Scanner - Free 15 Day Trial
http://www.eeye.com/html/Products/Retina/index.html

Copyright (c) 1998-2003 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please e-mail
alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info@eEye.com