Thread-topic: EEYE: Workstation Service NetpManageIPCConnect Buffer Overflow
> -----Original Message-----
> From: eEye Advisories [mailto:Advisories@xxxxxxxx]
> Sent: Tuesday, November 14, 2006 11:12 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: EEYE: Workstation Service NetpManageIPCConnect
> Buffer Overflow
>
> eEye Research -
>
> Workstation Service NetpManageIPCConnect Buffer Overflow
>
> Release Date:
> November 14, 2006
>
> Date Reported:
> July 25, 2006
>
> Severity:
> High (Remote Code Execution)
>
> Vendor:
> Microsoft
>
> Systems Affected:
> Windows 2000 (Remote Code Execution)
> Windows XP SP1 (Local Privilege Escalation)
>
> Overview:
> A flaw exists in a default Windows component called the "Workstation
> Service" that when exploited allows for remote code execution
> in SYSTEM
> context, allowing an attacker to take complete control of affected
> systems.
>
> Technical Details:
> In the Workstation Service module called wkssvc.dll, the
> NetpManageIPCConnect function has a call to "swprintf" with
> an unchecked
> buffer. The input buffer is controllable by the remote attacker.
>
> .text:76781D67 mov edi, [ebp+arg_0]
> ...
> .text:76781D90 lea eax, [ebp+var_2CC]
> ...
> .text:76781DA0 push edi
> .text:76781DA1 push offset "%ws\\IPC$"
> .text:76781DA6 push eax
> .text:76781DA7 call ds:swprintf
>
> This function is called by NetpJoinDomain, which is
> eventually called by
> the NetrJoinDomain2 function, which is exposed through RPC.
>
> The IDL for NetrJoinDomain2 looks like this:
> long _NetrJoinDomain2@28 (
> [in][unique][string] wchar_t * arg_1,
> [in][string] wchar_t * arg_2,
> [in][unique][string] wchar_t * arg_3,
> [in][unique][string] wchar_t * arg_4,
> [in][unique] struct_C * arg_5,
> [in] long arg_6
> );
>
> arg_2 will contain string with format like <Domain
> name>+"\"+<Hostname>.
>
> <Hostname> will be passed as NetpManageIPCConnect's first
> argument. The
> variable is under the attacker's control and is passed to swprintf,
> which causes a stack-based buffer overflow.
>
> For this vulnerable code to be reached, we must provide a
> valid and live
> <Domain name> as a part of the string. We can set up a fake domain
> server anywhere reachable from the vulnerable machine on the Internet.
>
> P.S. If you despise Birkenstocks, are not afraid of your Tequila, and
> are well versed in reverse engineering, bug finding, or are looking to
> learn, we are hiring both junior and senior security researchers. Send
> your resume (blathering of college course work, degrees, and past
> experience we don't care about) or more importantly a
> description of why
> you would be a good researcher to skunkworks@xxxxxxxxx
>
> Credit:
> Discovery: JeongWook Matt Oh
> Additional Research: Derek Soeder
>
> Related Links:
> Retina Network Security Scanner - Free Trial
> Blink Endpoint Vulnerability Prevention - Free Trial
>
> Greetings:
> Dugsong, Ohhara, Ryan Lee, Pilot, Sakai, Gonan and all the Korean
> Bugtruck Mailing List Subscribers
>
> Copyright (c) 1998-2006 eEye Digital Security
> Permission is hereby granted for the redistribution of this alert
> electronically. It is not to be edited in any way without express
> consent of eEye. If you wish to reprint the whole or any part of this
> alert in any other medium excluding electronic medium, please email
> alert@xxxxxxxx for permission.
>
> Disclaimer
> The information within this paper may change without notice. Use of
> this information constitutes acceptance for use in an AS IS condition.
> There are no warranties, implied or express, with regard to this
> information. In no event shall the author be liable for any direct or
> indirect damages whatsoever arising out of or in connection
> with the use
> or spread of this information. Any use of this information is at the
> user's own risk.
>
>
