[Windows XP] ntdll.dll Buffer Overflow Vulnerability - Yet Another MS03-007

---

SUMMARY : [Windows XP] ntdll.dll Buffer Overflow Vulnerability
PRODUCT : Windows XP ntdll.dll
VERSIONS : 5.1.2600.1106
VENDOR : Microsoft Corporation (http://www.microsoft.com/)
SEVERITY : Critical.
Code Execution, Privilege Escalation.
DISCOVERED BY : nesumin
AUTHOR : :: Operash ::
REPORTED DATE : 2003-04-24
RELEASED DATE : 2003-05-30

0. PRODUCTS
   =============

'ntdll.dll' is a core operating system component that is contained with
Windows NT series.

Microsoft Corporation (http://www.microsoft.com/)

1. DESCRIPTION
   ================

   A buffer overflow vulnerability is in the function 'RtlGetFullPathName_U'
   

which belongs to the 'ntdll.dll' and is called from some APIs or etc.

This function uses 16 bits integer (unsigned short) to handle the given
string's length inside. And it cannot get the given string's correct length
if it was called with a string that has the size over 65536 bytes (exceeding
size of the maximum of the 16 bits integer). Then it causes the overflow on
the given buffer.

As a result, if an attacker made some programs or services that is able to call
the 'RtlGetFullPathName_U' with a string which has the size over 65536 bytes,
it is possible for him to execute arbitrary codes or escalate his privilege.

2. SYSTEMS AFFECTED
   =====================

ntdll.dll 5.1.2600.1106 - Windows XP Professional SP1

And previous versions may have same vulnerabilities.

3. SYSTEMS NOT AFFECTED
   =========================

ntdll.dll 5.1.2600.1217 - Windows XP Professional SP1 + Hotfix 'Q815021'

4. EXAMINES
   =============

ntdll.dll 5.1.2600.1106 - Windows XP Professional SP1
ntdll.dll 5.1.2600.1217 - Windows XP Professional SP1 + Hotfix 'Q815021'

5. VENDOR STATUS
   ==================

2003-05-28 The vendor released the patch for Windows XP,
And they added this vulnerability's information to the Security
Bulletin MS03-007.

6. SOLUTION
   =============

Apply the patch (Hotfix of 'Q815021') that is provided by the vendor
for the Security Bulletin MS03-007.

http://www.microsoft.com/technet/security/bulletin/ms03-007.asp

7. TECHNICAL DETAILS
   ======================

   'RtlGetFullPathName_U' of 'ntdll.dll' is a function for getting
   

the complete path. This function is given the string (path) and the buffer,
the buffer's size, and it returns the complete path by writing the
complete path on the given buffer. And This function is called from
a Windows API like 'GetFullPathNameW' or etc.
The buffer overflow vulnerability this function contains is caused by
following reasons;

'RtlGetFullPathName_U' handles the given string (path) using 'UNICODE_STRING'
structure inside. This structure keeps the string's length as 16 bits integer
(unsigned short) by its specification.
And the function 'RtlInitUnicodeString' truncates the string's length to
16 bits integer and put it in this structure if the given string's length
is over 65536 bytes (32768 characters).

'RtlGetFullPathName_U' can write the longer data than the given buffer's
length on that buffer because it trusts the given string's length that is
shorter than the actual length which is returned by 'RtlInitUnicodeString',
and then the buffer overflow would occurs.

If it was given an allocated buffer on the stack, the stack based buffer
overflow would occurs.

Remarks:

This vulnerability differs from the known Security Bulletin 'MS03-007'.
The known 'MS03-007' problem was caused by 'RtlDosPathNameToNtPathName_U'.
However it can be said that these are similar vulnerabilities for both of
these has same fundamental causes.
Both are cause by trusting the string size which is acquired by 'UNICODE_STRING'
structure and 'RtlInitUnicodeString' function that cannot handle the string
length over 16 bits.

In addition, although this vulnerability had also existed in Windows 2000,
it was solved by the patch (Q815021 for Windows 2000) that has been already
provided by the vendor.

Technical References:

[1] "MSDN Library - UNICODE_STRING"
http://msdn.microsoft.com/library/en-us/kmarch/hh/kmarch/k112_401e.asp

[2] "MSDN Library - RtlInitUnicodeString"
http://msdn.microsoft.com/library/en-us/kmarch/hh/kmarch/k109_6x4i.asp

8. SAMPLE CODE
   ================

This is the example of a vulnerable program which causes the buffer overflow
by this vulnerability. This is not a exploit code.

'GetFullPathNameW' is a vulnerable API that calls 'RtlGetFullPathName_U' in
its inside.

//------------------------------------------------------
#include <windows.h>
#include <stdio.h>

void vuln_func(wchar_t *long_string)
{
wchar_t tmp_wc;
wchar_t buffer[0x1002];

  printf("ready ... \n");

  //
  // about 'GetFullPathName'
  // http://msdn.microsoft.com/library/en-us/fileio/base/getfullpathname.asp
  //
  // RtlGetFullPathName_U is called from GetFullPathNameW.
  //

  GetFullPathNameW(long_string, 0x100, buffer, &tmp_wc);


  // No return here.
  printf("returned\n");

}

const int vuln_length = 0x8008; // 0xFFFF & (0x8008*2) == 0x10

int main()
{
wchar_t *p = new wchar_t[vuln_length + 32];

  memset(p, 0x90, vuln_length*sizeof(wchar_t));
  p[vuln_length] = 0;

  vuln_func(p);

  delete[] p;
  return 0;

}
//--------------------------------------------------------

9. TIME TABLE
   ===============

2003-04-20 Discovered this vulnerability.
2003-04-24 Reported to 'Microsoft Security Response Center' of the vendor.
2003-04-24 Got the reply from the vendor.
2003-05-08 Asked the status to the vendor.
2003-05-13 Got the reply from the vendor.
2003-05-28 The vendor released the patch and the information.
2003-05-30 Released this advisory.

10. REFERENCES
    ================

[1] Microsoft Security Bulletin MS03-007
"Unchecked Buffer In Windows Component Could Cause Server Compromise (815021)"
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp

[2] "CAN-2003-0109"
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0109

11. DISCLAIMER
    ================

A. We cannot guarantee the accuracy of all statements in this information.
B. We do not anticipate issuing updated versions of this information
unless there is some material change in the facts.
C. And we will take no responsibility for any kinds of disadvantages by
using this information.
D. You can quote this advisory without our permission if you keep the following;
a. Do not distort this advisory's content.
b. A quoted place should be a medium on the Internet.
E. If you have any questions, please contact to us.

• Exception

  We strictly forbid 'Secunia' (http://www.secunia.com/&#41; to republish or
  redistribute our advisory.
  Because they've violated our policy and abused our advisory.

12. CONTACT, ETC
    ==================

:: Operash ::

imagine (Operash Webmaster)
nesumin <[email protected]>

Thanks to :

melorin
piso(sexy)

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
FREE 14-DAY TRIAL of New Threat & Vulnerability Notification Service

TruSecure's new IntelliShield(tm) web-based threat and vulnerability
service isn't your typical alert service. Supported by TruSecure's vast
intelligence resources - including the ICSA Labs - IntelliShield's early
warning, analysis, decision support, and threat management tools provide
organizations with unmatched intelligence to better protect critical
information assets. Experience it for yourself - just click below to begin
your FREE, NO OBLIGATION 14-day trial today!

http://www.trusecure.com/offer/s0074/

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo