NSFOCUS Security Advisory(SA2002-02)

Topic: Microsoft Windows MUP overlong request kernel overflow

Release Date: 2002-4-04

CVE CAN ID : CAN-2002-0151

Affected system:

Microsoft Windows NT 4.0
Microsoft Windows 2000
Microsoft Windows XP

Impact:

NSFOCUS Security Team has found a buffer overflow vulnerability in the Multiple
UNC Provider (MUP) driver of Microsoft Windows systems which would lead to
system reboot or unauthorized access of Local SYSTEM by a local attacker.

Description:

When applications in Microsoft Windows NT/2000/XP system send UNC request(ie:
\\ip\sharename)to access files on other hosts, the operation system would pass
the request to be processed by Multiple UNC Provider(MUP). MUP passes the
request to several redirectors and subsequently select an appropriate redirector
according to their responds. MUP is implemented by mup.sys in kernel.

When receiving a UNC file request, MUP first saves it in a buffer of the kernel,
which has a size of UNC request length + 0x1000 bytes. Before sending the request
to a redirector, MUP would copy it to the buffer again, attaching behind the
original one. In case that the file request is longer than 0x1000 bytes, it
would overwrite memory data outside of the buffer. Usually, some management
data structure would be stored in the border of dynamic allocated memory.
An attacker might modify arbitrary kernel memory content by overwriting the
data and waiting till the kernel malloc/free the memory.

Exploiting this vulnerability successfully, a local attacker could obtain Local
SYSTEM or any other priviledge. So far as we know from our testing, it is
exploitable on Windows 2000. But the exploit won't always work because it
depends on the kernel to process the overwritten data, which is beyond
human control. With random data, the system might have a blue screen and reboot.
The same vulnerability also exists in Windows NT and XP, exploitment of which
is even more difficult.

Workaround:

Block untrusted user login.

Vendor Status:

2001.10.17 We have informed Microsoft of this issue.
2001.11.09 Microsoft replied that the problem had been reproduced.
2001.12.05 Microsoft provided patches for testing, in which the problem was
fixed.
2002.4.4 Microsoft issued a security bulletin (MS02-017) and relevant patches
for the problem.

The bulletin is live at :

http://www.microsoft.com/technet/security/bulletin/MS02-017.asp

Patches are available at:

. Microsoft Windows NT 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37630

. Microsoft Windows NT 4.0 Terminal Server Edition:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37652

. Microsoft Windows 2000:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37555

. Microsoft Windows XP:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37583

Additional Information:

The Common Vulnerabilities and Exposures (CVE) project has
assigned the name CAN-2002-0151 to this issue. This is a
candidate for inclusion in the CVE list (http://cve.mitre.org),
which standardizes names for security problems. Candidates
may change significantly before they become official CVE entries.

DISCLAIMS:

THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.

Copyright 1999-2002 NSFOCUS. All Rights Reserved. Terms of use.

NSFOCUS Security Team <[email protected]>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)