MS08-067 Server Service Buffer Overflow (Oct 23, 2008)
A vulnerability has been reported in the Server service of most versions of Microsoft Windows. This service facilitates file, print, and named-pipe sharing over the network for Windows-based computers. These remote access facilities are often utilized for Remote Procedure Calls (RPC).
Calling RPC methods on a remote machine entails opening a named pipe as a file and accessing the RPC interface through a Universally Unique Identifier (UUID). Some Microsoft operating systems do not require authentication to access several named pipes. The srvsvc pipe is an alias to the ntsvcs named pipe and can be accessed by several other aliases. The srvsvc interface is registered with the UUID “4B324FC8-1670-01D3-1278-5A47BF6EE188”. The interface exposes a set of functions that enumerate and configure shares, sessions and other resources on the server. Two RPC functions that are provided by the SRVSVC interface are listed below:
- NetprPathCanonicalize
- NetprPathCompare
The function NetprPathCanonicalize, with opcode 31, normalizes a path name by converting slash characters to backslash characters and removing directory traversal sequences. Another RPC function, NetprPathCompare, with opcode 32, internally calls the NetprPathCanonicalize function to normalize path names before comparing them. Thus RPC calls to NetprPathCompare also invoke NetprPathCanonicalize.
The server side implementation of NetprPathCanonicalize RPC function is provided by the library NETAPI32.DLL. The calling syntax of this function is as follows:
long NetprPathCanonicalize(
[in] [string] [unique] wchar_t *ServerName,
[in] [string] [ref] wchar_t *PathName,
[in] long OutBufLen;
[in] [string] [ref] wchar_t *Prefix,
[in] [out] [ref] long *PathType;
[in] long PathFlags;
);
A stack buffer overflow vulnerability exists in the way the Server service processes the PathName argument to the NetprPathCanonicalize function. The affected code fails to properly handle cases where directory traversal sequences result in traversing past the root path as in the following case:
/pathpart1/../../pathpart2
In such cases, the code will internally copy the string, less the traversal sequence and the path which precedes it into a calculated destination buffer. The destination buffer for the copied string is found by searching for the first slash character which precedes the traversal sequence. Normally, this ends up as being the beginning of the source string. Such that the process of normalizing the first traversal in the above example will end up with the following string:
/../pathpart2
Since the next traversal sequence that is to be normalized is not preceded by a path, the search for the first slash character preceding this sequence will incorrectly end up at a memory location in front of the designated buffer. Such that, if a slash character happens to exist on the stack in a vulnerable location, then the source string will be copied into that location.
It has been observed that the stack can be manipulated in a favourable way by the attacker by calling the affected RPC function twice wherein the second time it is called, the copy will overwrite the designated stack buffer.
A remote attacker can exploit this vulnerability by sending specially crafted RPC requests to an affected system. Successful exploitation may result in execution of arbitrary code on the target host with System privileges. A denial of service condition may ensue in cases of unsuccessful attacks.
SonicWALL has released two signatures which will detect and block generic exploitation attempts of this vulnerability. The following IPS signatures have been deployed to address this issue:
- 1160 – SRVSVC NetPathCanonicalize BO Attempt 1 (MS08-067)
- 1161 – SRVSVC NetPathCanonicalize BO Attempt 2 (MS08-067)
- 1174 – SRVSVC NetPathCanonicalize BO Attempt 3 (MS08-067)
- 1178 – SRVSVC NetPathCanonicalize BO Attempt 4 (MS08-067)
- 1186 – SRVSVC NetPathCanonicalize BO Exploit 1 (MS08-067)