Workstation Service NetpManageIPCConnect Buffer Overflow
16 Nov. 2006
Summary
A flaw exists in a default Windows component called the "Workstation Service" that when exploited allows for remote code execution in SYSTEM context, allowing an attacker to take complete control of affected systems.
Vulnerable Systems:
* Windows 2000
* Windows XP SP1
Technical Details:
In the Workstation Service module called wkssvc.dll, the NetpManageIPCConnect function has a call to "swprintf" with an unchecked buffer. The input buffer is controllable by the remote attacker.
This function is called by NetpJoinDomain, which is eventually called by the NetrJoinDomain2 function, which is exposed through RPC.
The IDL for NetrJoinDomain2 looks like this:
long _NetrJoinDomain2@28 (
[in][unique][string] wchar_t * arg_1,
[in][string] wchar_t * arg_2,
[in][unique][string] wchar_t * arg_3,
[in][unique][string] wchar_t * arg_4,
[in][unique] struct_C * arg_5,
[in] long arg_6
);
arg_2 will contain string with format like <Domain name>+"\"+<Hostname>.
will be passed as NetpManageIPCConnect's first argument. The variable is under the attacker's control and is passed to swprintf, which causes a stack-based buffer overflow.
For this vulnerable code to be reached, we must provide a valid and live <Domain name> as a part of the string. We can set up a fake domain server anywhere reachable from the vulnerable machine on the Internet.
