[windows_errors] ntdll.dll Buffer Overflow Vulnerability - Yet Another MS03-007

From; Operash 

---------------------------------------------------------------------------
SUMMARY        : [Windows XP] ntdll.dll Buffer Overflow Vulnerability
PRODUCT        : Windows XP ntdll.dll
VERSIONS       : 5.1.2600.1106
VENDOR         : Microsoft Corporation (http://www.microsoft.com/)
SEVERITY       : Critical.
Code Execution, Privilege Escalation.
DISCOVERED BY  : nesumin
AUTHOR         : :: Operash ::
REPORTED DATE  : 2003-04-24
RELEASED DATE  : 2003-05-30
---------------------------------------------------------------------------

0. PRODUCTS
=============

'ntdll.dll' is a core operating system component that is contained with
Windows NT series.

Microsoft Corporation (http://www.microsoft.com/)


1. DESCRIPTION
================

A buffer overflow vulnerability is in the function
'RtlGetFullPathName_U'
which belongs to the 'ntdll.dll' and is called from some APIs or etc.

This function uses 16 bits integer (unsigned short) to handle the given
string's length inside.  And it cannot get the given string's correct
length
if it was called with a string that has the size over 65536 bytes
(exceeding
size of the maximum of the 16 bits integer).  Then it causes the
overflow on
the given buffer.

As a result, if an attacker made some programs or services that is able
to call
the 'RtlGetFullPathName_U' with a string which has the size over 65536
bytes,
it is possible for him to execute arbitrary codes or escalate his
privilege.


2. SYSTEMS AFFECTED
=====================

ntdll.dll 5.1.2600.1106 - Windows XP Professional SP1

And previous versions may have same vulnerabilities.


3. SYSTEMS NOT AFFECTED
=========================

ntdll.dll 5.1.2600.1217 - Windows XP Professional SP1 + Hotfix 'Q815021'


4. EXAMINES
=============

ntdll.dll 5.1.2600.1106 - Windows XP Professional SP1
ntdll.dll 5.1.2600.1217 - Windows XP Professional SP1 + Hotfix 'Q815021'


5. VENDOR STATUS
==================

2003-05-28 The vendor released the patch for Windows XP,
And they added this vulnerability's information to the
Security
Bulletin MS03-007.


6. SOLUTION
=============

Apply the patch (Hotfix of 'Q815021') that is provided by the vendor
for the Security Bulletin MS03-007.

http://www.microsoft.com/technet/security/bulletin/ms03-007.asp


7. TECHNICAL DETAILS
======================

'RtlGetFullPathName_U' of 'ntdll.dll' is a function for getting
the complete path.  This function is given the string (path) and the
buffer,
the buffer's size, and it returns the complete path by writing the
complete path on the given buffer.  And This function is called from
a Windows API like 'GetFullPathNameW' or etc.
The buffer overflow vulnerability this function contains is caused by
following reasons;

'RtlGetFullPathName_U' handles the given string (path) using
'UNICODE_STRING'
structure inside.  This structure keeps the string's length as 16 bits
integer
(unsigned short) by its specification.
And the function 'RtlInitUnicodeString' truncates the string's length to
16 bits integer and put it in this structure if the given string's length
is over 65536 bytes (32768 characters).

'RtlGetFullPathName_U' can write the longer data than the given buffer's
length on that buffer because it trusts the given string's length that is
shorter than the actual length which is returned by
'RtlInitUnicodeString',
and then the buffer overflow would occurs.

If it was given an allocated buffer on the stack, the stack based buffer
overflow would occurs.


Remarks:

This vulnerability differs from the known Security Bulletin 'MS03-007'.
The known 'MS03-007' problem was caused by
'RtlDosPathNameToNtPathName_U'.
However it can be said that these are similar vulnerabilities for both of
these has same fundamental causes.
Both are cause by trusting the string size which is acquired by
'UNICODE_STRING'
structure and 'RtlInitUnicodeString' function that cannot handle the
string
length over 16 bits.

In addition, although this vulnerability had also existed in Windows
2000,
it was solved by the patch (Q815021 for Windows 2000) that has been
already
provided by the vendor.


Technical References:

[1] "MSDN Library - UNICODE_STRING"

http://msdn.microsoft.com/library/en-us/kmarch/hh/kmarch/k112_401e.asp

[2] "MSDN Library - RtlInitUnicodeString"

http://msdn.microsoft.com/library/en-us/kmarch/hh/kmarch/k109_6x4i.asp


8. SAMPLE CODE
================

This is the example of a vulnerable program which causes the buffer
overflow
by this vulnerability.  This is not a exploit code.

'GetFullPathNameW' is a vulnerable API that calls 'RtlGetFullPathName_U'
in
its inside.


//------------------------------------------------------
#include <windows.h>
#include <stdio.h>

void vuln_func(wchar_t *long_string)
{
wchar_t *tmp_wc;
wchar_t buffer[0x100*2];

printf("ready ... \n");

//
// about 'GetFullPathName'
//
http://msdn.microsoft.com/library/en-us/fileio/base/getfullpathname.asp
//
// RtlGetFullPathName_U is called from GetFullPathNameW.
//

GetFullPathNameW(long_string, 0x100, buffer, &tmp_wc);


// No return here.
printf("returned\n");
}

const int vuln_length = 0x8008;    // 0xFFFF & (0x8008*2) == 0x10

int main()
{
wchar_t *p = new wchar_t[vuln_length + 32];

memset(p, 0x90, vuln_length*sizeof(wchar_t));
p[vuln_length] = 0;

vuln_func(p);

delete[] p;
return 0;
}
//--------------------------------------------------------


9. TIME TABLE
===============

2003-04-20 Discovered this vulnerability.
2003-04-24 Reported to 'Microsoft Security Response Center' of the
vendor.
2003-04-24 Got the reply from the vendor.
2003-05-08 Asked the status to the vendor.
2003-05-13 Got the reply from the vendor.
2003-05-28 The vendor released the patch and the information.
2003-05-30 Released this advisory.


10. REFERENCES
================

[1] Microsoft Security Bulletin MS03-007
"Unchecked Buffer In Windows Component Could Cause Server Compromise
(815021)"
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp

[2] "CAN-2003-0109"
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0109


11. DISCLAIMER
================

A. We cannot guarantee the accuracy of all statements in this
information.
B. We do not anticipate issuing updated versions of this information
unless there is some material change in the facts.
C. And we will take no responsibility for any kinds of disadvantages by
using this information.
D. You can quote this advisory without our permission if you keep the
following;
a. Do not distort this advisory's content.
b. A quoted place should be a medium on the Internet.
E. If you have any questions, please contact to us.


* Exception

We strictly forbid 'Secunia' (http://www.secunia.com/) to republish or
redistribute our advisory.
Because they've violated our policy and abused our advisory.


12. CONTACT, ETC
==================

:: Operash ::

imagine (Operash Webmaster)
nesumin <nesumin@xxxxxxxxxxxx>


Thanks to :

melorin
piso(sexy)


Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www.mwn.ca/ UPDATED 28/05/03
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
See my Anti-Virus pages  
<http://www3.telus.net/mikebike/mikes_virus_page.htm> 
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance Charter Member

Other related posts: