Microsoft WSDAPI Vulnerability (Nov 12, 2009)

By

A vulnerability has been reported in Microsoft Windows Web Services on Devices API (WSDAPI), which can be exploited by attackers to compromise a vulnerable system.

WSDAPI is an extension of the local Plug and Play model. It allows a client to discover and use remote devices/services over a network. The Devices Profile for Web Services (DPWS) standard defines a set of functionality to perform Web Service messaging, discovery, description, and event generation. In Microsoft Windows Vista and 2008, DPWS is integrated with WSDAPI.

Every device is given a unique identifier when it is manufactured. The identifier is called Machine GUID and is stored in the registry. When the device is powered on, it will broadcast its GUID via a WS-Discovery Hello message over 3702/UDP. Other devices on the network will receive this message and may initiate communication with that device. Once the handshake has been completed, communication continues over 5357/TCP (HTTP) or 5358/TCP (HTTPS). The HTTP messages include various headers and fields, one of them is MIME-Version. A MIME-Version field must appear as follows:

MIME-Version: DIGIT “.” DIGIT [CRLF]

There exists a stack corruption vulnerability in Microsoft Windows WSDAPI. Specifically, the vulnerability is due to the way that the WSDAPI parses the MIME-Version field of the WS-Discovery message. An remote attacker can exploit this vulnerability by sending a crafted WS-Discovery message, which contains an overly long MIME-Version string, to the target system. Successful exploitation would overwrite critical stack data, such as return addresses and exception handlers, which leads to arbitrary code injection and execution with the privileges of the affected service. In the case code execution is not successful, the vulnerable process may terminate abnormally causing a denial of service condition.

The vulnerability has be assigned as CVE-2009-2512. SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 3209 MS WSDAPI Memory Corruption Attempt (MS09-063)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.