Microsoft Security Bulletin MS02-017

Technical description:

The Multiple UNC Provider (MUP) is a Windows service that assists in locating network resources that are identified via UNC (uniform naming convention). The MUP receives commands containing UNC names from applications and sends the name to each registered UNC provider, LAN Manager workstation, and any others that are installed. When a provider identifies a UNC name as its own, the MUP automatically redirects future instances of that name to that provider.

When MUP receives a file request, it allocates a buffer in which to store it. There is proper input checking in this first buffer. However, MUP stores another copy of the file request in a buffer when it sends this request to a redirector. This second copy of the buffer does not check inputs correctly, thereby creating the possibility that a resource request to it from an unprivileged process could cause a buffer overrun. The overrun could be exploited for either of two purposes: causing a system failure, or running code on the system with Local System privileges.

Mitigating factors: 

Severity Rating: 

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2002-0151 

Tested Versions:

Microsoft tested Windows NT 4.0, Windows 2000 and Windows XP to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

What's the scope of the vulnerability?
This is a buffer overrun buffer overflow that results in a privilege elevation vulnerability. If an attacker successfully exploited this vulnerability, he could gain complete control over the machine. This would allow him to take any desired action on the machine, such as adding, deleting, or modifying data on the system, creating or deleting user accounts, and adding accounts to the local administrators group.
In order to exploit this vulnerability, the attacker would need to be able to log on locally. This means the attacker would need the ability to log onto the target machine interactively and run code on the system. By default, unprivileged users cannot interactively log onto NT4 Domain Controllers, and if normal security precautions have been taken, the only machines at risk will be workstations and terminal servers.

What causes the vulnerability?
The vulnerability results because the MUP (Multiple UNC Provider) service contains an unchecked buffer. By sending a specially malformed request, it could be possible conduct a buffer overrun attack against an affected system.

What is UNC?
UNC (Uniform naming convention) is a method of identifying resources such as share names or files on a network. A typical UNC name begins with two backslashes followed by a server name:
\\server\share\subdirectory\filename

What is MUP?
The Multiple UNC Provider (MUP) is a Windows service that assists in locating network resources that are identified via UNC (uniform naming convention). The MUP receives commands containing UNC names from applications and sends the name to each registered UNC provider, LAN Manager workstation, and any others that are installed. When a provider identifies a UNC name as its own, the MUP automatically redirects future instances of that name to that provider.

What's wrong with MUP?
When MUP requests a file using the uniform naming convention (UNC), it will allocate a buffer to store this request. There is proper input checking on this first buffer. However, MUP stores another copy of the file request in a buffer when it sends this request to a redirector. This second copy of the buffer does not check inputs correctly. As a result, it could be possible for a MUP request to result in a buffer overrun.

What could the attacker do with this vulnerability?
The attacker could use this vulnerability to run code in the context of the LocalSystem account, that is, as the operating system itself. However, it is possible the buffer overflow will not always be successful and in this instance, the attacker could create a denial of service situation by rebooting the target machine. If the attacker is successful in elevating privilege to that of LocalSystem, the attacker could take any desired action on the machine.

How could an attacker exploit this vulnerability?
The attacker would first need the ability to log on to the target machine with valid user credentials. Once logged in, the attacker would have to be able to copy a program that calls the MUP service in a way that exploits the vulnerability.

Could this vulnerability be exploited remotely?
No. The attacker's program would need to run locally on the machine. This means the attacker would need the ability to log onto the machine interactively and start the malicious program. This is an important point, because, if normal security restrictions are observed, unprivileged users will not be able to log onto critical machines such as domain controllers, and as a result would be unable to attack them.

What systems would be most at risk?
Workstations and terminal servers are at the greatest risk for this vulnerability because they let users log on interactively by design.

Why is this is harder to exploit on Windows 2000?
The kernel manages the second copy of the buffer which this vulnerability overflows. The kernel is not externally controllable and therefore unpredictable. The result would most likely be a system blue screen or reboot.

What does the patch do?
The patch eliminates the vulnerability by instituting proper input checking on the MUP service.

Download locations for this patch

Installation platforms:

•	Windows NT 4.0: The Windows NT 4.0 patch can be installed on systems running Service Pack 6a
•	The Windows NT 4.0 Terminal Server Edition patch can be installed on systems running Windows NT 4.0 TSE Service Pack 6.
•	Windows 2000: This patch can be installed on systems running Windows 2000 Service Pack 1 or Windows 2000 Service Pack 2
•	The patch for Windows XP can be installed on systems running Windows XP Gold.

Inclusion in future service packs:

•	The fix for this issue will be included in Windows 2000 Service Pack 3.
•	The fix for this issue will be included in Windows XP Service Pack 1.

Reboot needed: Yes

Superseded patches: None.

Verifying patch installation: 

Windows NT 4.0 Service Pack 6a:

•	To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q312895
•	To verify the individual files, consult the file manifest in Knowledge Base article Q311967. The information in this article supersedes the information that was in Q312895.

Windows NT 4.0 Terminal Server Edition Service Pack 6:

•	To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q312895.
•	To verify the individual files, consult the file manifest in Knowledge Base article Q311967. The information in this article supersedes the information that was in Q312895.

Windows 2000 Service Pack 2:

•	To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q311967
•	To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q311967\Filelist

Windows XP:

•	To verify that the patch has been installed, confirm that the following registry key has been created on the machine: HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q311967
•	To verify the individual files, use the date/time and version information provided in the following registry key: HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q311967\Filelist

Caveats:

None

Localization:

Localized versions of this patch are currently available, at the locations discussed in "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

•	Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
•	Patches for consumer platforms are available from the WindowsUpdate web site

Top of section