Security Bulletin

Microsoft Security Bulletin MS03-005 - Important

Unchecked buffer in Windows redirector may permit privilege elevation (810577)

Published: February 05, 2003

Version: 1.0

Originally posted: February 5, 2003

Summary

Who should read this bulletin:  Customers using Microsoft® Windows® XP.

Impact of vulnerability:  Local elevation of privileges

Maximum Severity Rating:  Important

Recommendation:  Customers should consider applying the patch.

Affected Software:

  • Microsoft Windows XP

General Information

Technical details

Technical description:

The Windows Redirector is used by a Windows client to access files, whether local or remote, regardless of the underlying network protocols in use. For example, the "Add a Network Place" Wizard or the NET USE command can be used to map a network share as a local drive, and the Windows Redirector will handle the routing of information to and from the network share.

A security vulnerability exists in the implementation of the Windows Redirector on Windows XP because an unchecked buffer is used to receive parameter information. By providing malformed data to the Windows Redirector, an attacker could cause the system to fail, or if the data was crafted in a particular way, could run code of the attacker's choice.

Mitigating factors:

  • An attacker would require the ability to log onto the system interactively in order to run programs that use the Windows Redirector. This vulnerability cannot be exploited remotely.
  • Windows XP systems that are not shared between users would not be at risk.

Severity Rating:

Windows XP Important

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0004

Tested Versions:

Microsoft tested Windows XP to assess whether it is affected by these vulnerabilities. Windows NT 4.0, Windows NT 4.0, Terminal Server Edition, and Windows 2000 do not contain the code in question and are not affected by this vulnerability.

Frequently asked questions

What's the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could cause the system to fail, or could cause code of the attacker's choice to be executed with system privileges. Code running with system privileges could provide the attacker with the ability to take any desired action on the machine, such as adding, deleting, or modifying data on the system, and creating or deleting user accounts.

The vulnerability could only be exploited by an attacker who had valid credentials to interactively log onto the computer.

What causes the vulnerability?
The vulnerability results because of an unchecked buffer in the Windows Redirector function on Windows XP.

What is the Windows Redirector?
The Windows Redirector is a component of Windows XP that is used by a Windows client to access files, whether local or remote, regardless of the underlying network protocols in use. For example, the "Add a Network Place" Wizard or the NET USE command can be used to map a network share as a local drive, and the Windows Redirector will handle the routing of information to and from the network share.

What's wrong with the Windows Redirector?
There is a flaw in the way the Windows Redirector command handles the information passed to it. If an overly long parameter were passed to the Windows Redirector, it could overrun the buffer allocated for receiving the information.

What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to cause Windows XP to fail, or to run code of the attacker's choice with additional privileges on the system.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by logging on to a Windows XP and running a program that called the Windows Redirector and provided specially malformed parameter information. For example, the attacker could write a program to make the call, or could use a program such as NET USE which employs the Windows Redirector. If the malformed parameter information were particularly crafted, it could be possible to execute code of the attacker's choosing with system privileges.

What is the NET USE command used for?
The NET USE command is used to connect a computer to, or disconnect from, a shared network resource. NET USE can also display information about a computer's current connections.

For example, if a directory were shared as DirA from a computer named ComputerA the following NET USE command would map the shared directory to the N: drive.

NET USE N: \\ComputerA\DirA

The NET USE command can only be run in a Command Prompt window, invoked by Start | Run, or as part of a batch file.

Could this vulnerability be exploited remotely?
No, calls to the Windows Redirector may only be made locally. As a result, an attacker would need to log on to the system using an interactive logon in order to attempt to exploit this vulnerability.

What systems would be at greatest risk from this vulnerability?
Only Windows XP workstations that would allow an attacker to log on interactively would be affected by this vulnerability. A Windows XP system that was not shared with other users would not be able to be attacked using this vulnerability.

Could I accidentally make the system fail because of this vulnerability?
No. The specially malformed parameter data that would need to be passed to the Windows Redirector could not be provided by accident.

What does the patch do?
The patch addresses the vulnerability by correctly handling the parameter information passed to the Windows Redirector.

Patch availability

Download locations for this patch

Additional information about this patch

Installation platforms:

This patch can be installed on systems running Windows XP Gold and Windows XP Service Pack 1.

Inclusion in future service packs:

The fix for this issue will be included in Windows XP Service Pack 2.

Reboot needed: Yes

Patch can be uninstalled: Yes

Superseded patches: None.

Verifying patch installation:

  • Windows XP Gold:

    To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q810577

    To verify the individual files, use the date/time and version information provided in the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q810577\Filelist

  • Windows XP Service Pack 1:

    To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q810577

    To verify the individual files, use the date/time and version information provided in the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q810577\Filelist

Caveats:

None

Localization:

Localized versions of this patch are available at the locations discussed in "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

  • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
  • Patches for consumer platforms are available from the WindowsUpdate web site

Other information:

Acknowledgments

Microsoft thanks NSFocus for reporting this issue to us and working with us to protect customers.

Support:

  • Microsoft Knowledge Base article 810577 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
  • Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 February 5, 2003: Bulletin Created.

Built at 2014-04-18T13:49:36Z-07:00