[Windows XP] ntdll.dll Buffer Overflow Vulnerability - Yet Another MS03-007

2003-06-02T00:00:00
ID SECURITYVULNS:DOC:4628
Type securityvulns
Reporter Securityvulns
Modified 2003-06-02T00:00:00

Description


SUMMARY : [Windows XP] ntdll.dll Buffer Overflow Vulnerability PRODUCT : Windows XP ntdll.dll VERSIONS : 5.1.2600.1106 VENDOR : Microsoft Corporation (http://www.microsoft.com/) SEVERITY : Critical. Code Execution, Privilege Escalation. DISCOVERED BY : nesumin AUTHOR : :: Operash :: REPORTED DATE : 2003-04-24 RELEASED DATE : 2003-05-30


0. PRODUCTS

'ntdll.dll' is a core operating system component that is contained with Windows NT series.

Microsoft Corporation (http://www.microsoft.com/)

1. DESCRIPTION

   A buffer overflow vulnerability is in the function 'RtlGetFullPathName_U'

which belongs to the 'ntdll.dll' and is called from some APIs or etc.

This function uses 16 bits integer (unsigned short) to handle the given string's length inside. And it cannot get the given string's correct length if it was called with a string that has the size over 65536 bytes (exceeding size of the maximum of the 16 bits integer). Then it causes the overflow on the given buffer.

As a result, if an attacker made some programs or services that is able to call the 'RtlGetFullPathName_U' with a string which has the size over 65536 bytes, it is possible for him to execute arbitrary codes or escalate his privilege.

2. SYSTEMS AFFECTED

ntdll.dll 5.1.2600.1106 - Windows XP Professional SP1

And previous versions may have same vulnerabilities.

3. SYSTEMS NOT AFFECTED

ntdll.dll 5.1.2600.1217 - Windows XP Professional SP1 + Hotfix 'Q815021'

4. EXAMINES

ntdll.dll 5.1.2600.1106 - Windows XP Professional SP1 ntdll.dll 5.1.2600.1217 - Windows XP Professional SP1 + Hotfix 'Q815021'

5. VENDOR STATUS

2003-05-28 The vendor released the patch for Windows XP, And they added this vulnerability's information to the Security Bulletin MS03-007.

6. SOLUTION

Apply the patch (Hotfix of 'Q815021') that is provided by the vendor for the Security Bulletin MS03-007.

http://www.microsoft.com/technet/security/bulletin/ms03-007.asp

7. TECHNICAL DETAILS

   'RtlGetFullPathName_U' of 'ntdll.dll' is a function for getting

the complete path. This function is given the string (path) and the buffer, the buffer's size, and it returns the complete path by writing the complete path on the given buffer. And This function is called from a Windows API like 'GetFullPathNameW' or etc. The buffer overflow vulnerability this function contains is caused by following reasons;

'RtlGetFullPathName_U' handles the given string (path) using 'UNICODE_STRING' structure inside. This structure keeps the string's length as 16 bits integer (unsigned short) by its specification. And the function 'RtlInitUnicodeString' truncates the string's length to 16 bits integer and put it in this structure if the given string's length is over 65536 bytes (32768 characters).

'RtlGetFullPathName_U' can write the longer data than the given buffer's length on that buffer because it trusts the given string's length that is shorter than the actual length which is returned by 'RtlInitUnicodeString', and then the buffer overflow would occurs.

If it was given an allocated buffer on the stack, the stack based buffer overflow would occurs.

Remarks:

This vulnerability differs from the known Security Bulletin 'MS03-007'. The known 'MS03-007' problem was caused by 'RtlDosPathNameToNtPathName_U'. However it can be said that these are similar vulnerabilities for both of these has same fundamental causes. Both are cause by trusting the string size which is acquired by 'UNICODE_STRING' structure and 'RtlInitUnicodeString' function that cannot handle the string length over 16 bits.

In addition, although this vulnerability had also existed in Windows 2000, it was solved by the patch (Q815021 for Windows 2000) that has been already provided by the vendor.

Technical References:

[1] "MSDN Library - UNICODE_STRING" http://msdn.microsoft.com/library/en-us/kmarch/hh/kmarch/k112_401e.asp

[2] "MSDN Library - RtlInitUnicodeString" http://msdn.microsoft.com/library/en-us/kmarch/hh/kmarch/k109_6x4i.asp

8. SAMPLE CODE

This is the example of a vulnerable program which causes the buffer overflow by this vulnerability. This is not a exploit code.

'GetFullPathNameW' is a vulnerable API that calls 'RtlGetFullPathName_U' in its inside.

//------------------------------------------------------ #include <windows.h> #include <stdio.h>

void vuln_func(wchar_t long_string) { wchar_t tmp_wc; wchar_t buffer[0x100*2];

  printf&#40;&quot;ready ... &#92;n&quot;&#41;;

  //
  // about &#39;GetFullPathName&#39;
  // http://msdn.microsoft.com/library/en-us/fileio/base/getfullpathname.asp
  //
  // RtlGetFullPathName_U is called from GetFullPathNameW.
  //

  GetFullPathNameW&#40;long_string, 0x100, buffer, &tmp_wc&#41;;


  // No return here.
  printf&#40;&quot;returned&#92;n&quot;&#41;;

}

const int vuln_length = 0x8008; // 0xFFFF & (0x8008*2) == 0x10

int main() { wchar_t *p = new wchar_t[vuln_length + 32];

  memset&#40;p, 0x90, vuln_length*sizeof&#40;wchar_t&#41;&#41;;
  p[vuln_length] = 0;

  vuln_func&#40;p&#41;;

  delete[] p;
  return 0;

} //--------------------------------------------------------

9. TIME TABLE

2003-04-20 Discovered this vulnerability. 2003-04-24 Reported to 'Microsoft Security Response Center' of the vendor. 2003-04-24 Got the reply from the vendor. 2003-05-08 Asked the status to the vendor. 2003-05-13 Got the reply from the vendor. 2003-05-28 The vendor released the patch and the information. 2003-05-30 Released this advisory.

10. REFERENCES

[1] Microsoft Security Bulletin MS03-007 "Unchecked Buffer In Windows Component Could Cause Server Compromise (815021)" http://www.microsoft.com/technet/security/bulletin/MS03-007.asp

[2] "CAN-2003-0109" http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0109

11. DISCLAIMER

A. We cannot guarantee the accuracy of all statements in this information. B. We do not anticipate issuing updated versions of this information unless there is some material change in the facts. C. And we will take no responsibility for any kinds of disadvantages by using this information. D. You can quote this advisory without our permission if you keep the following; a. Do not distort this advisory's content. b. A quoted place should be a medium on the Internet. E. If you have any questions, please contact to us.

  • Exception

    We strictly forbid 'Secunia' (http://www.secunia.com/) to republish or redistribute our advisory. Because they've violated our policy and abused our advisory.

12. CONTACT, ETC

:: Operash ::

imagine (Operash Webmaster) nesumin <nesumin@softhome.net>

Thanks to :

melorin
piso&#40;sexy&#41;

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Delivery co-sponsored by TruSecure oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo FREE 14-DAY TRIAL of New Threat & Vulnerability Notification Service

TruSecure's new IntelliShield(tm) web-based threat and vulnerability service isn't your typical alert service. Supported by TruSecure's vast intelligence resources - including the ICSA Labs - IntelliShield's early warning, analysis, decision support, and threat management tools provide organizations with unmatched intelligence to better protect critical information assets. Experience it for yourself - just click below to begin your FREE, NO OBLIGATION 14-day trial today!

http://www.trusecure.com/offer/s0074/

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo