Vulnerability Note VU#998653

Microsoft Plug and Play contains a buffer overflow vulnerability

Original Release date: 09 Aug 2005 | Last revised: 15 Nov 2005

Overview

Microsoft Plug and Play contains a flaw in the handling of message buffers that may result in local or remote arbitrary code execution or denial-of-service conditions.

Description

The following is from the Microsoft Plug and Play description:

    Plug and Play (PnP) allows the operating system to detect new hardware when you install it on a system. For example, when you install a new mouse on your system, PnP allows Windows to detect it, allows Windows to load the needed drivers, and allows Windows to begin using the new mouse.

The Plug and Play service in Microsoft Windows contains a buffer overflow that may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

According to Microsoft Security Advisory 899588:
    Windows 2000 systems are primarily at risk from this vulnerability. Windows 2000 customers who have installed the MS05-039 security update are not affected by this vulnerability. If an administrator has disabled anonymous connections by changing the default setting of the RestrictAnonymous registry key to a value of 2, Windows 2000 systems would not be vulnerable remotely from anonymous users. However, because of a large application compatibility risk, we do not recommend customers enable this setting in production environments without first extensively testing the setting in their environment. For more information, search for RestrictAnonymous at the Microsoft Help and Support Web site.

    While not the current target of this exploit code, it’s important to note that on Windows XP Service Pack 2 and Windows Server 2003 an attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely by anonymous users or by users who have standard user accounts on Windows XP Service Pack 2 or Windows Server 2003. This is because of enhanced security built directly into the affected component. Even if an administrator has enabled anonymous connections by changing the default setting of the RestrictAnonymous registry key, Windows XP Service Pack 2 and Windows Server 2003 are not vulnerable remotely by anonymous users or by users who have standard user accounts. However, the affected component is available remotely to users who have administrative permissions.

    While not the current target of this exploit code, it’s important to note that on Windows XP Service Pack 1 an attacker must have valid logon credentials to try to exploit this vulnerability. The vulnerability could not be exploited remotely by anonymous users. However, the affected component is available remotely to users who have standard user accounts on Windows XP Service Pack 1. The existing exploit code is not designed to provide the authentication required to exploit this issue on these operating systems. Even if an administrator has enabled anonymous connections by changing the default setting of the RestrictAnonymous registry key, Windows XP Service Pack 1 systems are not vulnerable remotely by anonymous users.

    This issue does not affect Windows 98, Windows 98 SE, or Windows Millennium Edition.
Microsoft Security Advisory 906574 also notes the following limited scope of vulnerability for Windows XP SP1 in a non-default configuration:
    If Simple File Sharing is enabled on a Microsoft Windows XP system that is not joined to a domain, then all users who access this system through the network are forced to use the Guest account. This is the “Network access: Sharing and security model for local accounts security policy setting, and is also known as ForceGuest.

    Windows XP mitigates several security vulnerabilities by preventing users who do not have a valid logon credential from accessing the system remotely. An example of this is the vulnerability that is addressed in Microsoft Security Bulletin MS05-039. However, when you enable Simple File Sharing, the Guest account is also enabled and given permission to access the system through the network. Because the Guest account is a valid account when it is enabled, and is given permission to access the system through the network, an attacker could use the Guest account as if they had a valid user account.

    There is no known attack that is seeking to exploit this scenario.  The Advisory is being issued as a special precaution. There is no change to the update in Security Bulletin MS05-039. Customers who have applied this update are protected in this scenario.

    Mitigating Factors:

    Windows XP Service Pack 2 is not vulnerable remotely to the issue addressed by MS05-039 even when Simple File Sharing enables the Guest account. On Windows XP Service Pack 2, the impact of this vulnerability is only Local Privilege Elevation, and only exploitable if a user has the ability to logon locally to the system.
    Simple File Sharing is not available on Windows XP systems that are joined to a domain. Domain-joined systems use standard file sharing which does not enable the Guest account or give it permissions to access the system through the network. Windows XP Service Pack 2 is not vulnerable remotely in domain-joined systems or in workgroup-joined systems.
    Enabling Simple File Sharing does not expose customers who have applied the security updates provided by Microsoft Security Bulletin MS05-039 to the vulnerability that is addressed by that security bulletin.
Please note that multiple variants of exploit code for this vulnerability are publicly available. In addition, reports indicate that this vulnerability is being actively exploited by malicious software including the Zotob worm. The exploit code seen in the wild includes but is not limited to functionality that attempts to remove software (including anti-virus applications and other countermeasures) and that opens a backdoor that allows the computer to be remotely controlled through mediums such as Internet Relay Chat (IRC), known as a "zombie".

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code or to create a denial-of-service condition on Windows 2000.
A remote, unauthenticated attacker may be able to execute arbitrary code or to create a denial-of-service condition on Windows XP SP1.

A local, authenticated attacker may be able to execute arbitrary code or to create a denial-of-service condition on Windows XP SP2 and Server 2003.

Solution

Apply An Update
Please see Microsoft Security Bulletin MS05-039 for information on fixes, updates, and workarounds.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected-09 Aug 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was reported in Microsoft Security Advisory MS05-039. Microsoft credits Neel Mehta of ISS X-Force for reporting the issue and Jean-Baptiste Marchand of Herve Schauer Consultants for additional help with related issues.

This document was written by Ken MacInnis.

Other Information

  • CVE IDs: CAN-2005-1983
  • Date Public: 09 Aug 2005
  • Date First Published: 09 Aug 2005
  • Date Last Updated: 15 Nov 2005
  • Severity Metric: 51.98
  • Document Revision: 42

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.