SecurityReason - Windows UMPNPMGR wsprintfW Stack Buffer Overflow Vulnerability

Advisory Text :

Windows UMPNPMGR wsprintfW Stack Buffer Overflow Vulnerability

Release Date:
October 11, 2005

Date Reported:
August 3, 2005

Severity:
High (Remote Code Execution with Authentication)
Medium (Privilege Escalation to SYSTEM)

Vendor:
Microsoft

Systems Affected:
Windows NT 4.0
Windows 2000
Windows XP

eEye ID #: EEYEB20050803
OSVDB #: 18830
CVE #: CAN-2005-2120

Overview:
eEye Digital Security has discovered a vulnerability in the Windows Plug
and Play Service that would allow an unprivileged user to execute
arbitrary code with SYSTEM privileges on a remote Windows 2000 or XP SP1
system. On Windows XP SP2, this vulnerability could be exploited by an
unprivileged user to gain full privileges on a system to which he is
logged in interactively.

This vulnerability is unrelated to the MS05-039 Plug and Play
vulnerability, and is not resolved by the MS05-039 hotfix. We reported
this vulnerability to Microsoft roughly a week before the MS05-039 patch
was released, but they neglected to address the vulnerability in spite
of our warnings. However, generic security measures instituted in the
patch now prevent its anonymous exploitation, making the eminent threat
an internal attack or mass compromise in a domain setting.

Technical Details:
UMPNPMGR.DLL hosts the Plug and Play or "PlugPlay" service, which
provides an RPC interface for accessing device management and
notification functionality. The service is default on Windows NT 4.0
and later, and in fact, support for it is hard-coded into the Service
Control Manager in SERVICES.EXE. Due to its central importance, the
service cannot be stopped once started, and attempting to disable it
runs a high risk of rendering the system unusable.

The code for UMPNPMGR contains a number of calls to wsprintfW to
construct various formatted strings in stack buffers, and in two cases
the user input is only validated by whether or not it corresponds to an
existent subkey of HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnum.
Although this registry branch is protected from unprivileged
modification, the assumption that any valid key name is safe can
nevertheless be circumvented by supplying arbitrary lengths of
consecutive backslashes; for example, "HTREEROOT\\0\\\\".

The functions PNP_GetDeviceList (opnum 10) and PNP_GetDeviceListSize
(opnum 11), on the UMPNPMGR interface
{8D9F4E40-A03D-11CE-8F69-08003E30051B}, both exhibit this vulnerability.
For the former, any valid subkey name may be passed in order to reach a
vulnerable wsprintfW call, whereas the latter must receive a key name
with an empty second (e.g., "HTREE\ROOT