Windows UMPNPMGR wsprintfW Stack Buffer Overflow Vulnerability

2005.10.12
Credit: Derek Soeder
Risk: High
Local: Yes
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Windows UMPNPMGR wsprintfW Stack Buffer Overflow Vulnerability Release Date: October 11, 2005 Date Reported: August 3, 2005 Severity: High (Remote Code Execution with Authentication) Medium (Privilege Escalation to SYSTEM) Vendor: Microsoft Systems Affected: Windows NT 4.0 Windows 2000 Windows XP eEye ID #: EEYEB20050803 OSVDB #: 18830 CVE #: CAN-2005-2120 Overview: eEye Digital Security has discovered a vulnerability in the Windows Plug and Play Service that would allow an unprivileged user to execute arbitrary code with SYSTEM privileges on a remote Windows 2000 or XP SP1 system. On Windows XP SP2, this vulnerability could be exploited by an unprivileged user to gain full privileges on a system to which he is logged in interactively. This vulnerability is unrelated to the MS05-039 Plug and Play vulnerability, and is not resolved by the MS05-039 hotfix. We reported this vulnerability to Microsoft roughly a week before the MS05-039 patch was released, but they neglected to address the vulnerability in spite of our warnings. However, generic security measures instituted in the patch now prevent its anonymous exploitation, making the eminent threat an internal attack or mass compromise in a domain setting. Technical Details: UMPNPMGR.DLL hosts the Plug and Play or "PlugPlay" service, which provides an RPC interface for accessing device management and notification functionality. The service is default on Windows NT 4.0 and later, and in fact, support for it is hard-coded into the Service Control Manager in SERVICES.EXE. Due to its central importance, the service cannot be stopped once started, and attempting to disable it runs a high risk of rendering the system unusable. The code for UMPNPMGR contains a number of calls to wsprintfW to construct various formatted strings in stack buffers, and in two cases the user input is only validated by whether or not it corresponds to an existent subkey of HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnum. Although this registry branch is protected from unprivileged modification, the assumption that any valid key name is safe can nevertheless be circumvented by supplying arbitrary lengths of consecutive backslashes; for example, "HTREEROOT\\0\\\\". The functions PNP_GetDeviceList (opnum 10) and PNP_GetDeviceListSize (opnum 11), on the UMPNPMGR interface {8D9F4E40-A03D-11CE-8F69-08003E30051B}, both exhibit this vulnerability. For the former, any valid subkey name may be passed in order to reach a vulnerable wsprintfW call, whereas the latter must receive a key name with an empty second (e.g., "HTREE\ROOT


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top