lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030602051509.78CC.NESUMIN@softhome.net>
Date: Mon, 02 Jun 2003 05:29:26 +0900
From: ":: Operash ::" <nesumin@...thome.net>
To: <bugtraq@...urityfocus.com>
Subject: [Windows XP] ntdll.dll Buffer Overflow Vulnerability - Yet Another MS03-007



---------------------------------------------------------------------------
SUMMARY        : [Windows XP] ntdll.dll Buffer Overflow Vulnerability
PRODUCT        : Windows XP ntdll.dll
VERSIONS       : 5.1.2600.1106
VENDOR         : Microsoft Corporation (http://www.microsoft.com/)
SEVERITY       : Critical.
                 Code Execution, Privilege Escalation.
DISCOVERED BY  : nesumin
AUTHOR         : :: Operash ::
REPORTED DATE  : 2003-04-24
RELEASED DATE  : 2003-05-30
---------------------------------------------------------------------------

0. PRODUCTS
=============

  'ntdll.dll' is a core operating system component that is contained with
  Windows NT series.

  Microsoft Corporation (http://www.microsoft.com/)


1. DESCRIPTION
================

       A buffer overflow vulnerability is in the function 'RtlGetFullPathName_U'
  which belongs to the 'ntdll.dll' and is called from some APIs or etc.

  This function uses 16 bits integer (unsigned short) to handle the given
  string's length inside.  And it cannot get the given string's correct length
  if it was called with a string that has the size over 65536 bytes (exceeding
  size of the maximum of the 16 bits integer).  Then it causes the overflow on
  the given buffer.

  As a result, if an attacker made some programs or services that is able to call
  the 'RtlGetFullPathName_U' with a string which has the size over 65536 bytes,
  it is possible for him to execute arbitrary codes or escalate his privilege.


2. SYSTEMS AFFECTED
=====================

  ntdll.dll 5.1.2600.1106 - Windows XP Professional SP1

  And previous versions may have same vulnerabilities.


3. SYSTEMS NOT AFFECTED
=========================

  ntdll.dll 5.1.2600.1217 - Windows XP Professional SP1 + Hotfix 'Q815021'


4. EXAMINES
=============

  ntdll.dll 5.1.2600.1106 - Windows XP Professional SP1
  ntdll.dll 5.1.2600.1217 - Windows XP Professional SP1 + Hotfix 'Q815021'


5. VENDOR STATUS
==================

  2003-05-28 The vendor released the patch for Windows XP,
             And they added this vulnerability's information to the Security
             Bulletin MS03-007.


6. SOLUTION
=============

  Apply the patch (Hotfix of 'Q815021') that is provided by the vendor
  for the Security Bulletin MS03-007.

  http://www.microsoft.com/technet/security/bulletin/ms03-007.asp


7. TECHNICAL DETAILS
======================

       'RtlGetFullPathName_U' of 'ntdll.dll' is a function for getting
  the complete path.  This function is given the string (path) and the buffer,
  the buffer's size, and it returns the complete path by writing the
  complete path on the given buffer.  And This function is called from
  a Windows API like 'GetFullPathNameW' or etc.
  The buffer overflow vulnerability this function contains is caused by
  following reasons;

  'RtlGetFullPathName_U' handles the given string (path) using 'UNICODE_STRING'
  structure inside.  This structure keeps the string's length as 16 bits integer
  (unsigned short) by its specification.
  And the function 'RtlInitUnicodeString' truncates the string's length to
  16 bits integer and put it in this structure if the given string's length
  is over 65536 bytes (32768 characters).

  'RtlGetFullPathName_U' can write the longer data than the given buffer's
  length on that buffer because it trusts the given string's length that is
  shorter than the actual length which is returned by 'RtlInitUnicodeString',
  and then the buffer overflow would occurs.

  If it was given an allocated buffer on the stack, the stack based buffer
  overflow would occurs.


  Remarks:

  This vulnerability differs from the known Security Bulletin 'MS03-007'.
  The known 'MS03-007' problem was caused by 'RtlDosPathNameToNtPathName_U'.
  However it can be said that these are similar vulnerabilities for both of
  these has same fundamental causes.
  Both are cause by trusting the string size which is acquired by 'UNICODE_STRING'
  structure and 'RtlInitUnicodeString' function that cannot handle the string
  length over 16 bits.

  In addition, although this vulnerability had also existed in Windows 2000,
  it was solved by the patch (Q815021 for Windows 2000) that has been already
  provided by the vendor.


  Technical References:

  [1] "MSDN Library - UNICODE_STRING"
      http://msdn.microsoft.com/library/en-us/kmarch/hh/kmarch/k112_401e.asp

  [2] "MSDN Library - RtlInitUnicodeString"
      http://msdn.microsoft.com/library/en-us/kmarch/hh/kmarch/k109_6x4i.asp


8. SAMPLE CODE
================

  This is the example of a vulnerable program which causes the buffer overflow
  by this vulnerability.  This is not a exploit code.

  'GetFullPathNameW' is a vulnerable API that calls 'RtlGetFullPathName_U' in
  its inside.


  //------------------------------------------------------
  #include <windows.h>
  #include <stdio.h>

  void vuln_func(wchar_t *long_string)
  {
      wchar_t *tmp_wc;
      wchar_t buffer[0x100*2];

      printf("ready ... \n");

      //
      // about 'GetFullPathName'
      // http://msdn.microsoft.com/library/en-us/fileio/base/getfullpathname.asp
      //
      // RtlGetFullPathName_U is called from GetFullPathNameW.
      //

      GetFullPathNameW(long_string, 0x100, buffer, &tmp_wc);


      // No return here.
      printf("returned\n");
  }

  const int vuln_length = 0x8008;    // 0xFFFF & (0x8008*2) == 0x10

  int main()
  {
      wchar_t *p = new wchar_t[vuln_length + 32];

      memset(p, 0x90, vuln_length*sizeof(wchar_t));
      p[vuln_length] = 0;

      vuln_func(p);

      delete[] p;
      return 0;
  }
  //--------------------------------------------------------


9. TIME TABLE
===============

  2003-04-20 Discovered this vulnerability.
  2003-04-24 Reported to 'Microsoft Security Response Center' of the vendor.
  2003-04-24 Got the reply from the vendor.
  2003-05-08 Asked the status to the vendor.
  2003-05-13 Got the reply from the vendor.
  2003-05-28 The vendor released the patch and the information.
  2003-05-30 Released this advisory.


10. REFERENCES
================

  [1] Microsoft Security Bulletin MS03-007
      "Unchecked Buffer In Windows Component Could Cause Server Compromise (815021)"
      http://www.microsoft.com/technet/security/bulletin/MS03-007.asp

  [2] "CAN-2003-0109"
      http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0109


11. DISCLAIMER
================

  A. We cannot guarantee the accuracy of all statements in this information.
  B. We do not anticipate issuing updated versions of this information
     unless there is some material change in the facts.
  C. And we will take no responsibility for any kinds of disadvantages by
     using this information.
  D. You can quote this advisory without our permission if you keep the following;
     a. Do not distort this advisory's content.
     b. A quoted place should be a medium on the Internet.
  E. If you have any questions, please contact to us.


  * Exception

     We strictly forbid 'Secunia' (http://www.secunia.com/) to republish or
     redistribute our advisory.
     Because they've violated our policy and abused our advisory.


12. CONTACT, ETC
==================

  :: Operash ::

  imagine (Operash Webmaster)
  nesumin <nesumin@...thome.net>


  Thanks to :

    melorin
    piso(sexy)





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ