MSoft Windows Kernel Overflow

NSFOCUS Security Advisory(SA2002-02)

Topic: Microsoft Windows MUP overlong request kernel overflow

Release Date: 2002-4-04

CVE CAN ID : CAN-2002-0151

Affected system:
===================

Microsoft Windows NT 4.0
Microsoft Windows 2000
Microsoft Windows XP

Impact:
=========

NSFOCUS Security Team has found a buffer overflow vulnerability in the Multiple UNC Provider (MUP) driver of Microsoft Windows systems which would lead to system reboot or unauthorized access of Local SYSTEM by a local attacker.

Description:
============

When applications in Microsoft Windows NT/2000/XP system send UNC request(ie: \\ip\sharename)to access files on other hosts, the operation system would pass the request to be processed by Multiple UNC Provider(MUP). MUP passes the request to several redirectors and subsequently select an appropriate redirector according to their responds. MUP is implemented by mup.sys in kernel.

When receiving a UNC file request, MUP first saves it in a buffer of the kernel, which has a size of UNC request length + 0x1000 bytes. Before sending the request to a redirector, MUP would copy it to the buffer again, attaching behind the original one. In case that the file request is longer than 0x1000 bytes, it would overwrite memory data outside of the buffer. Usually, some management data structure would be stored in the border of dynamic allocated memory. An attacker might modify arbitrary kernel memory content by overwritingthe data and waiting till the kernel malloc/free the memory.

Exploiting this vulnerability successfully, a local attacker could obtain Local SYSTEM or any other priviledge. So far as we know from our testing, it is exploitable on Windows 2000. But the exploit won't always work because it depends on the kernel to process the overwritten data, which is beyond human control. With random data, the system might have a blue screen and reboot. The same vulnerability also exists in Windows NT and XP, exploitment of which is even more difficult.


Workaround:
=============


Block untrusted user login.

Vendor Status:
==============

2001.10.17 We have informed Microsoft of this issue.
2001.11.09 Microsoft replied that the problem had been reproduced.
2001.12.05 Microsoft provided patches for testing, in which the problem was fixed.
2002.4.4 Microsoft issued a security bulletin (MS02-017) and relevant patches for the problem.

The bulletin is live at :

www.microsoft.com/technet/security/bulletin/MS02-017.asp

Patches are available at:

Microsoft Windows NT 4.0:
www.microsoft.com/Downloads/Release.asp?ReleaseID=37630

Microsoft Windows NT 4.0 Terminal Server Edition:
www.microsoft.com/Downloads/Release.asp?ReleaseID=37652

Microsoft Windows 2000:
www.microsoft.com/Downloads/Release.asp?ReleaseID=37555

Microsoft Windows XP:
www.microsoft.com/Downloads/Release.asp?ReleaseID=37583