Basic search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:9431
HistoryAug 09, 2005 - 12:00 a.m.

indows Plug and Play Remote Compromise

2005-08-0900:00:00
vulners.com
52

nternet Security Systems Protection Advisory
August 9, 2005

Windows Plug and Play Remote Compromise

Summary:

X-force has discovered a vulnerability in the Windows Plug and Play service.
This vulnerability is remotely exploitable in the default configuration of
Windows 2000, and is present in all modern Windows operating systems. There
is a high probability that this vulnerability will be exploited in an
automated fashion as part of a worm on Windows 2000.

ISS Protection Strategy:

ISS has provided preemptive protection for this vulnerability. We recommend
that all customers apply applicable ISS product updates if they have not
already done so.

Network Sensor 7.0, Proventia A and G100, G200, G1200:
XPU 24.4 / 4/13/05
PlugAndPlay_BO
PlugAndPlay_DoS

Proventia M and G400, G2000:
XPU 1.43 / 4/13/05
PlugAndPlay_BO
PlugAndPlay_DoS

Server Sensor 7.0:
XPU 24.4 / 4/13/05
PlugAndPlay_BO
PlugAndPlay_DoS

Proventia Desktop
Version XPU 24.4 / 4/13/05
PlugAndPlay_BO
PlugAndPlay_DoS

Desktop Protector 7.0:
Version EOD / 4/13/05
PlugAndPlay_BO
PlugAndPlay_DoS

Internet Scanner 7.0, SP2:
XPU 7.2.10 / 8/9/04
WinMs05kb899588Update

These updates are available from the ISS Download Center at:
http://www.iss.net/download.

Business Impact:

Successful exploitation of this vulnerability could be leveraged to
gain complete control over target systems, and might lead to malware
installation, exposure of confidential information, or further network
compromise. Due to the widespread use of the affected operating systems
and the critical nature of component affected, it is likely that servers
and desktops used for a wide variety of purposes are vulnerable to
this issue.

Affected Products:

Windows 2000 up to and including SP4 with Security Rollup (Anonymous)
Windows XP up to and including SP2 (Authenticated Users Only)
Windows Server 2003 up to and including SP1 (Authenticated Users Only)

Description:

The Plug and Play service is a Windows DCE-RPC service that is designed
to handle device installation, configuration, and notification of new
devices. It starts automatically on modern versions of the Windows
operating system, and runs in default configurations. On Windows 2000,
this service is reachable via named pipes and a NULL session. It is
not possible to disable this service without adversely affecting system
operation.

This Plug and Play service contains a remotely exploitable stack-based
overflow. It has been proven to be trivially exploitable, and X-Force
is concerned that the overflow could be exploited automatically as part
of a network-based worm used to attack Windows 2000-based systems.

The named-pipe needed to reach this service requires authentication on
Windows XP and Windows Server 2003. On Windows XP SP2 and Windows Server
2003 those named-pipe are only available remotely to administrators.
However, additional named pipe aliases are present on Windows 2000 which
expose this service to an attacker with NULL session access. No
authentication or user-interaction is required to exploit this vulnerability
on Windows 2000.

At the time of publication, no exploits are available to the public at
large. However, X-Force expects that exploits for this vulnerability
will appear in the very near future.

Additional Information:

Microsoft Security Advisory:
http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-1983 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

Credit:

This vulnerability was discovered and researched by Neel Mehta of the ISS X-Force.


About Internet Security Systems (ISS)
Internet Security Systems, Inc. (ISS) is the trusted security expert to
global enterprises and world governments, providing products and services
that protect against Internet threats. An established world leader
in security since 1994, ISS delivers proven cost efficiencies and
reduces regulatory and business risk across the enterprise for
more than 11,000 customers worldwide. ISS products and services
are based on the proactive security intelligence conducted by ISS'
X-Force research and development team тАУ the unequivocal world
authority in vulnerability and threat research. Headquartered
in Atlanta, Internet Security Systems has additional operations
throughout the Americas, Asia, Australia, Europe and the Middle East.

Copyright (c) 2005 Internet Security Systems, Inc. All rights reserved
worldwide.

This document is not to be edited or altered in any way without the
express written consent of Internet Security Systems, Inc. If you wish
to reprint the whole or any part of this document, please email

xforce@iss.net for permission. You may provide links to this document
from your web site, and you may make copies of this document in
accordance with the fair use doctrine of the U.S. copyright laws.

Disclaimer: The information within this document may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and PGP.com's key
server, as well as at http://www.iss.net/security_center/sensitive.php
Please send suggestions, updates, and comments to: X-Force

xforce@iss.net of Internet Security Systems, Inc.

Related for SECURITYVULNS:DOC:9431