[NT] Plug and Play Vulnerability Allows Remote Code Execution and Local Elevation of Privilege (MS05-047)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Plug and Play Vulnerability Allows Remote Code Execution and Local
Elevation of Privilege (MS05-047)
------------------------------------------------------------------------

SUMMARY

A remote code execution and local elevation of privilege vulnerability
exists in Plug and Play that could allow an authenticated attacker who
successfully exploited this vulnerability to take complete control of the
affected system.

DETAILS

Affected Software:
* Microsoft Windows 2000 Service Pack 4 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=FFDB8AB7-F979-41B4-9625-EA51CD503258> Download the update
* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service
Pack 2 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=1559E44A-DDEE-4C86-BF02-A6C3B9BEEE0C> Download the update

Non-Affected Software:
* Microsoft Windows XP Professional x64 Edition
* Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service
Pack 1
* Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft
Windows Server 2003 with SP1 for Itanium-based Systems
* Microsoft Windows Server 2003 x64 Edition
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME)

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2120>
CAN-2005-2120

Mitigating Factors for Plug and Play Vulnerability:
* On Windows XP Service Pack 2 an attacker must have valid logon
credentials and be able to log on locally to exploit this vulnerability.
The vulnerability could not be exploited remotely by anonymous users or by
users who have standard user accounts. However, the affected component is
available remotely to users who have administrative permissions.

* On Windows 2000 and Windows XP Service Pack 1 an attacker must have
valid logon credentials to try to exploit this vulnerability. The
vulnerability could not be exploited remotely by anonymous users. However,
the affected component is available remotely to users who have standard
user accounts. In certain configurations, anonymous users could
authenticate as the Guest account. For more information, see Microsoft
Security Advisory
<http://www.microsoft.com/technet/security/advisory/906574.mspx> 906574.

Note If the security updates that are provided by Microsoft Security
Bulletin
<http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx>
MS05-039 have not been installed on Windows 2000, this issue could be
exploited remotely by anonymous users. . If these security updates have
been installed, this issue is restricted to authenticated users on Windows
2000. On Windows XP Service Pack 1, this issue is restricted to
authenticated users, even without the security updates that are provided
by <http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx>
MS05-039.

* Firewall best practices and standard default firewall configurations
can help protect networks from attacks that originate outside the
enterprise perimeter. Best practices recommend that systems that are
connected to the Internet have a minimal number of ports exposed.

Workarounds for Plug and Play Vulnerability:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.

Note Other protocols, such as Internetwork Packet Exchange (IPX) and
Sequenced Packet Exchange (SPX), could be vulnerable to this issue. If you
are using vulnerable protocols such as IPX and SPX, you should block the
appropriate ports for those protocols. For more information about IPX and
SPX, visit the following Microsoft Web site.

Note As mentioned in the "Mitigating Factors" section, Windows XP Service
Pack 2 is vulnerable to this issue primarily from an attacker who is
logged on locally. The following workarounds are designed primarily for
earlier operating system versions that are vulnerable to network-based
attacks.

* Block TCP ports 139 and 445 at the firewall:

These ports are used to initiate a connection with the affected protocol.
Blocking them at the firewall, both inbound and outbound, will help
prevent systems that are behind that firewall from attempts to exploit
this vulnerability. We recommend that you block all unsolicited inbound
communication from the Internet to help prevent attacks that may use other
ports. For more information about ports, visit the following Web site.

* To help protect from network-based attempts to exploit this
vulnerability, use a personal firewall, such as the Internet Connection
Firewall, which is included with Windows XP Service Pack 1.

By default, the Internet Connection Firewall feature in Windows XP Service
Pack 1 helps protect your Internet connection by blocking unsolicited
incoming traffic. We recommend that you block all unsolicited incoming
communication from the Internet.

To enable the Internet Connection Firewall feature by using the Network
Setup Wizard, follow these steps:

1. Click Start, and then click Control Panel.
2. In the default Category View, click Network and Internet Connections,
and then click Setup or change your home or small office network. The
Internet Connection Firewall feature is enabled when you select a
configuration in the Network Setup Wizard that indicates that your system
is connected directly to the Internet.

To configure Internet Connection Firewall manually for a connection,
follow these steps:

1. Click Start, and then click Control Panel.
2. In the default Category View, click Networking and Internet
Connections, and then click Network Connections.
3. Right-click the connection on which you want to enable Internet
Connection Firewall, and then click Properties.
4. Click the Advanced tab.
5. Click to select the Protect my computer or network by limiting or
preventing access to this computer from the Internet check box, and then
click OK.

Note If you want to enable certain programs and services to communicate
through the firewall, click Settings on the Advanced tab, and then select
the programs, the protocols, and the services that are required.

* To help protect from network-based attempts to exploit this
vulnerability, enable advanced TCP/IP filtering on systems that support
this feature.

You can enable advanced TCP/IP filtering to block all unsolicited inbound
traffic. For more information about how to configure TCP/IP filtering, see
Microsoft Knowledge Base Article <http://support.microsoft.com/kb/309798>
309798.

* To help protect from network-based attempts to exploit this
vulnerability, block the affected ports by using IPsec on the affected
systems.

Use Internet Protocol security (IPsec) to help protect network
communications. Detailed information about IPsec and about how to apply
filters is available in Microsoft Knowledge Base Article
<http://support.microsoft.com/kb/313190> 313190 and Microsoft Knowledge
Base Article <http://support.microsoft.com/kb/813878> 813878.

What is the scope of the vulnerability?
This is a remote code execution and local privilege elevation
vulnerability. On Windows 2000 and Windows XP Service Pack 1, an
authenticated user could remotely try to exploit this vulnerability. On
Windows XP Service Pack 2, only an administrator can remotely access the
affected component. Therefore, on Windows XP Service Pack 2, this is
strictly a local privilege elevation vulnerability. An anonymous user
cannot remotely attempt to exploit this vulnerability on Windows XP
Service Pack 2.

An attacker who successfully exploited this vulnerability could take
complete control of an affected system. An attacker could then install
programs; view, change, or delete data; or create new accounts with full
user rights.

What causes the vulnerability?
The process that Plug and Play uses to validate user supplied data.

What is Plug and Play?
Plug and Play (PnP) allows the operating system to detect new hardware
when you install it on a system. For example, when you install a new mouse
on your system, PnP allows Windows to detect it, allows Windows to load
the needed drivers, and allows Windows to begin using the new mouse.

What might an attacker use the vulnerability to do?
An authenticated attacker who successfully exploited this vulnerability
could take complete control of the affected system.

How could an attacker exploit the vulnerability?
On Windows 2000 and Windows XP Service Pack 1, an authenticated attacker
could try to exploit the vulnerability by creating a specially crafted
network message and sending the message to an affected system. The message
could then cause the affected system to execute code. In certain Windows
XP configurations, anonymous users could authenticate as the Guest
account. For more information, see Microsoft Security Advisory
<http://www.microsoft.com/technet/security/advisory/906574.mspx> 906574.
To try to exploit this vulnerability on Windows XP Service Pack 2, an
attacker must be able to log on locally to a system and could then run a
specially crafted application.

What systems are primarily at risk from the vulnerability?
Windows 2000 and Windows XP Service Pack 1 systems are primarily at risk
from this vulnerability. On Windows 2000, Windows XP Service Pack 1, and
Windows XP Service Pack 2 an attacker must have valid logon credentials to
exploit this vulnerability. The vulnerability could not be exploited
remotely by anonymous users on Windows 2000, Windows XP Service Pack 1,
and Windows XP Service Pack 2.

Note If the security updates that are provided by Microsoft Security
Bulletin
<http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx>
MS05-039 have not been installed on Windows 2000, this issue could be
exploited remotely by anonymous users. . If these security updates have
been installed, this issue is restricted to authenticated users on Windows
2000. On Windows XP Service Pack 1, this issue is restricted to
authenticated users, even without the security updates that are provided
by <http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx>
MS05-039.

Could the vulnerability be exploited over the Internet?
Not in most cases. An attacker must be able to log on to the specific
system that is targeted for attack. Firewall best practices and standard
default firewall configurations can help protect against attacks that
originate from the Internet. Microsoft has provided information about how
you can help protect your PC. End users can visit the Protect Your PC Web
site. IT professionals can visit the Security Guidance Center Web site. On
Windows XP Service Pack 2, an attacker must be able to log on to the
specific system that is targeted for attack. An anonymous attacker cannot
load and run a program remotely by using this vulnerability.

What does the update do?
The update removes the vulnerability by modifying the way that the Plug
and Play service validates the length of a message before it passes the
message to the allocated buffer.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure. Microsoft had not received any information to
indicate that this vulnerability had been publicly disclosed when this
security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.

How does this vulnerability relate to the Plug and Play Vulnerability that
is corrected by MS05-039?
Both vulnerabilities affect the Plug and Play component. However, this
update addresses a new vulnerability that was not addressed as part of
MS05-039. MS05-039 helps protect against the vulnerability that is
discussed in that bulletin, but does not address this new vulnerability.
This update does replace MS05-039. You can install this update to help
protect your system against both vulnerabilities.

ADDITIONAL INFORMATION

The information has been provided by Microsoft Product Security.
The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/MS05-047.mspx>
http://www.microsoft.com/technet/security/bulletin/MS05-047.mspx

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.