darkking Posted November 17, 2006 Report Posted November 17, 2006 eEye Research - Workstation'>http://research.eeye.comWorkstation Service NetpManageIPCConnect Buffer OverflowSeverity:High (Remote Code Execution)Vendor:MicrosoftSystems Affected:Windows 2000 (Remote Code Execution)Windows XP SP1 (Local Privilege Escalation)Overview:A flaw exists in a default Windows component called the "WorkstationService" that when exploited allows for remote code execution in SYSTEMcontext, allowing an attacker to take complete control of affectedsystems.Technical Details:In the Workstation Service module called wkssvc.dll, theNetpManageIPCConnect function has a call to "swprintf" with an uncheckedbuffer. The input buffer is controllable by the remote attacker. .text:76781D67 mov edi, [ebp+arg_0] ... .text:76781D90 lea eax, [ebp+var_2CC] ... .text:76781DA0 push edi .text:76781DA1 push offset "%ws\IPC$" .text:76781DA6 push eax .text:76781DA7 call ds:swprintfThis function is called by NetpJoinDomain, which is eventually called bythe NetrJoinDomain2 function, which is exposed through RPC.The IDL for NetrJoinDomain2 looks like this:long _NetrJoinDomain2@28 ( [in][unique][string] wchar_t * arg_1, [in][string] wchar_t * arg_2, [in][unique][string] wchar_t * arg_3, [in][unique][string] wchar_t * arg_4, [in][unique] struct_C * arg_5, [in] long arg_6);arg_2 will contain string with format like <Domain name>+""+<Hostname>.<Hostname> will be passed as NetpManageIPCConnect's first argument. Thevariable is under the attacker's control and is passed to swprintf,which causes a stack-based buffer overflow.For this vulnerable code to be reached, we must provide a valid and live<Domain name> as a part of the string. We can set up a fake domainserver anywhere reachable from the vulnerable machine on the Internet.Credit:Discovery: JeongWook Matt OhAdditional Research: Derek Soeder Quote
