Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:2729
HistoryApr 05, 2002 - 12:00 a.m.

Security Bulletin MS02-017 Q311967: Unchecked buffer in the Multiple UNC Provider Could Enable File Execution

2002-04-0500:00:00
vulners.com
25

Title: Q311967: Unchecked buffer in the Multiple UNC Provider
Could Enable Code Execution
Date: 04 April 2002
Software:

    • Microsoft Windows NT 4.0 Workstation
    • Microsoft Windows NT 4.0 Server
    • Microsoft Windows NT 4.0 Server, Enterprise Edition
    • Microsoft Windows NT 4 Terminal Server Edition
    • Microsoft Windows 2000 Professional
    • Microsoft Windows 2000 Server
    • Microsoft Windows 2000 Advanced Server
    • Microsoft Windows XP Professional
      Impact: Local privilege elevation and run code of attacker's
      choice.
      Recommendation: Administrators should consider applying the patch to
      machines that allow unprivileged users to log onto them interactively
      such as workstations and Terminal Servers.
      Max Risk: Moderate
      Bulletin: MS02-017

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-017.asp.


Issue:

The Multiple UNC Provider (MUP) is a Windows service that assists in
locating network resources that are identified via UNC (uniform
naming convention). The MUP receives commands containing UNC names from
applications and sends the name to each registered UNC provider, LAN Manager
workstation, and any others that are installed. When a provider identifies a UNC
name as its own, the MUP automatically redirects future instances of that name to
that provider.

When MUP requests a file using the uniform naming convention (UNC), it
will allocate a buffer to store this request. There is proper input
checking in this first buffer. However, MUP stores another copy of
the file request in a buffer when it sends this request to a redirector. This
second copy of the buffer does not check inputs correctly, thereby creating the
possibility that a resource request to it from an unprivileged process could cause
a buffer overrun. The overrun could be exploited for either of two purposes:
causing a system failure, or running code on the system with Local System
privileges.

Mitigating Factors:

  • The MUP request can only be levied by a process on the local
    system. As a result, the vulnerability could only be exploited by a user who
    could log onto an affected system interactively.
  • On Windows 2000 systems, the vulnerability could not reliably be
    used to run code. This is because the attacker would need to know where the
    buffer was located in memory, but in Windows 2000 this is not externally
    discoverable or controllable.
  • Best practices suggests that unprivileged users not be allow to
    interactively log onto business-critical servers. If this
    recommendation has been followed machines such as domain controllers, ERP
    servers, print and file servers, database servers, and others would not be at risk
    from this vulnerability.

Risk Rating:

  • Internet systems: Low
  • Intranet systems: Moderate
  • Client systems: Moderate

Patch Availability:

Acknowledgment: