MS Workstation Service Vulnerability (Aug 13, 2009)


Microsoft Windows Workstation service is a new service added in Windows XP, Vista, Server 2003, and thereafter. It is started to notify selected users and administrators of administrative alerts automatically. If this service is disabled, any services that explicitly depend on it will fail to start.

The Workstation Service can be accessed through the DCE-RPC interface. And its numerous methods can be accessed by other processes through the Remote Procedure Call (RPC) interface (UUID: 6bffd098-a112-3610-9833-46c3f87e345a). The interface is accessible through several endpoints and transports such as “wkssvc”. After the interface is successfully bound through a transport, the user is allowed to call the provided RPC methods.

The Workstation Service provides multiple methods through its RPC interface. The methods perform tasks such as user information queries, domain changes and additions among other things. A list of some of the supplied methods is shown below:

  • NetrGetJoinInformation
  • NetrJoinDomain2
  • NetrWkstaGetInfo
  • NetrWkstaSetInfo

The NetrGetJoinInformation method, which is listed above, is responsible for retrieving information about the workgroup or domain to which the specified computer is joined. According to MSDN Windows API definition, the syntax of NetrGetJoinInformation method is defined as bellow:

unsigned long NetrGetJoinInformation( [in, string, unique] WKSSVC_IMPERSONATE_HANDLE ServerName, [in, out, string] wchar_t** NameBuffer, [out] PNETSETUP_JOIN_STATUS BufferType );

A double free vulnerability exists in the vulnerable version of Microsoft Windows Workstation service. Specifically, the vulnerability is due to improper handling of the requests for the NetrGetJoinInformation method with a specially crafted NameBuffer value.

Remote authenticated attackers can exploit this vulnerability to inject arbitrary code and execute with the privileges of the affected service, which is SYSTEM by default.

SonicWALL UTM research team has released an IPS signature that will detect and block generic attack attempts addressing this issue. The IPS signature is listed as bellow:

  • 4288 MS Windows Workstation Service Memory Corruption Attempt (MS09-041)

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-1544. Microsoft has referred this vulnerability in its security advisory MS09-041.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.