|
Brought to you by:
Suppliers of:
|
|
|
| |
| A flaw exists in a default Windows component called the "Workstation Service" that when exploited allows for remote code execution in SYSTEM context, allowing an attacker to take complete control of affected systems. |
| |
Credit:
The information has been provided by eEye Advisories.
The original article can be found at: http://research.eeye.com/html/advisories/published/AD20061114.html
|
| |
Vulnerable Systems:
* Windows 2000
* Windows XP SP1
Technical Details:
In the Workstation Service module called wkssvc.dll, the NetpManageIPCConnect function has a call to "swprintf" with an unchecked buffer. The input buffer is controllable by the remote attacker.
.text:76781D67 mov edi, [ebp+arg_0]
...
.text:76781D90 lea eax, [ebp+var_2CC]
...
.text:76781DA0 push edi
.text:76781DA1 push offset "%ws\\IPC$"
.text:76781DA6 push eax
.text:76781DA7 call ds:swprintf
This function is called by NetpJoinDomain, which is eventually called by the NetrJoinDomain2 function, which is exposed through RPC.
The IDL for NetrJoinDomain2 looks like this:
long _NetrJoinDomain2@28 (
[in][unique][string] wchar_t * arg_1,
[in][string] wchar_t * arg_2,
[in][unique][string] wchar_t * arg_3,
[in][unique][string] wchar_t * arg_4,
[in][unique] struct_C * arg_5,
[in] long arg_6
);
arg_2 will contain string with format like <Domain name>+"\"+<Hostname>.
will be passed as NetpManageIPCConnect's first argument. The variable is under the attacker's control and is passed to swprintf, which causes a stack-based buffer overflow.
For this vulnerable code to be reached, we must provide a valid and live <Domain name> as a part of the string. We can set up a fake domain server anywhere reachable from the vulnerable machine on the Internet.
Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is available at: http://www.microsoft.com/technet/security/bulletin/ms06-070.mspx
|
|
|
|
|
