Vulnerability Note VU#998653

Microsoft Plug and Play contains a buffer overflow vulnerability

Plug and Play (PnP) allows the operating system to detect new hardware when you install it on a system. For example, when you install a new mouse on your system, PnP allows Windows to detect it, allows Windows to load the needed drivers, and allows Windows to begin using the new mouse.

Windows 2000 systems are primarily at risk from this vulnerability. Windows 2000 customers who have installed the MS05-039 security update are not affected by this vulnerability. If an administrator has disabled anonymous connections by changing the default setting of the RestrictAnonymous registry key to a value of 2, Windows 2000 systems would not be vulnerable remotely from anonymous users. However, because of a large application compatibility risk, we do not recommend customers enable this setting in production environments without first extensively testing the setting in their environment. For more information, search for RestrictAnonymous at the Microsoft Help and Support Web site.

While not the current target of this exploit code, it’s important to note that on Windows XP Service Pack 2 and Windows Server 2003 an attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely by anonymous users or by users who have standard user accounts on Windows XP Service Pack 2 or Windows Server 2003. This is because of enhanced security built directly into the affected component. Even if an administrator has enabled anonymous connections by changing the default setting of the RestrictAnonymous registry key, Windows XP Service Pack 2 and Windows Server 2003 are not vulnerable remotely by anonymous users or by users who have standard user accounts. However, the affected component is available remotely to users who have administrative permissions.

While not the current target of this exploit code, it’s important to note that on Windows XP Service Pack 1 an attacker must have valid logon credentials to try to exploit this vulnerability. The vulnerability could not be exploited remotely by anonymous users. However, the affected component is available remotely to users who have standard user accounts on Windows XP Service Pack 1. The existing exploit code is not designed to provide the authentication required to exploit this issue on these operating systems. Even if an administrator has enabled anonymous connections by changing the default setting of the RestrictAnonymous registry key, Windows XP Service Pack 1 systems are not vulnerable remotely by anonymous users.

This issue does not affect Windows 98, Windows 98 SE, or Windows Millennium Edition.

If Simple File Sharing is enabled on a Microsoft Windows XP system that is not joined to a domain, then all users who access this system through the network are forced to use the Guest account. This is the “Network access: Sharing and security model for local accounts” security policy setting, and is also known as ForceGuest.

Windows XP mitigates several security vulnerabilities by preventing users who do not have a valid logon credential from accessing the system remotely. An example of this is the vulnerability that is addressed in Microsoft Security Bulletin MS05-039. However, when you enable Simple File Sharing, the Guest account is also enabled and given permission to access the system through the network. Because the Guest account is a valid account when it is enabled, and is given permission to access the system through the network, an attacker could use the Guest account as if they had a valid user account.

There is no known attack that is seeking to exploit this scenario.  The Advisory is being issued as a special precaution. There is no change to the update in Security Bulletin MS05-039. Customers who have applied this update are protected in this scenario.


Mitigating Factors:

•	Windows XP Service Pack 2 is not vulnerable remotely to the issue addressed by MS05-039 even when Simple File Sharing enables the Guest account. On Windows XP Service Pack 2, the impact of this vulnerability is only Local Privilege Elevation, and only exploitable if a user has the ability to logon locally to the system.
•	Simple File Sharing is not available on Windows XP systems that are joined to a domain. Domain-joined systems use standard file sharing which does not enable the Guest account or give it permissions to access the system through the network. Windows XP Service Pack 2 is not vulnerable remotely in domain-joined systems or in workgroup-joined systems.
•	Enabling Simple File Sharing does not expose customers who have applied the security updates provided by Microsoft Security Bulletin MS05-039 to the vulnerability that is addressed by that security bulletin.

A remote, unauthenticated attacker may be able to execute arbitrary code or to create a denial-of-service condition on Windows XP SP1.

A local, authenticated attacker may be able to execute arbitrary code or to create a denial-of-service condition on Windows XP SP2 and Server 2003.

III. Solution

Please see Microsoft Security Bulletin MS05-039 for information on fixes, updates, and workarounds.

Systems Affected

http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx
http://www.microsoft.com/technet/security/advisory/899588.mspx
http://www.microsoft.com/technet/security/advisory/906574.mspx
http://www.microsoft.com/security/incident/zotob.mspx
http://www.us-cert.gov/cas/techalerts/TA05-221A.html
http://xforce.iss.net/xforce/alerts/id/202
http://secunia.com/advisories/16372/
http://xforce.iss.net/xforce/xfdb/21602
http://www.osvdb.org/displayvuln.php?osvdb_id=18605
http://www.securiteam.com/windowsntfocus/5YP0E00GKW.html
http://www.ciac.org/ciac/bulletins/p-266.shtml
http://www.frsirt.com/english/alerts/20050814.ZotobA.php
http://www.securityfocus.com/bid/14513
http://securitytracker.com/id?1014640

Credit

This vulnerability was reported in Microsoft Security Advisory MS05-039. Microsoft credits Neel Mehta of ISS X-Force for reporting the issue and Jean-Baptiste Marchand of Herve Schauer Consultants for additional help with related issues.

This document was written by Ken MacInnis.

Other Information

If you have feedback, comments, or additional information about this vulnerability, please send us email.