Microsoft Security Bulletin MS03-005

Technical description:

The Windows Redirector is used by a Windows client to access files, whether local or remote, regardless of the underlying network protocols in use. For example, the "Add a Network Place" Wizard or the NET USE command can be used to map a network share as a local drive, and the Windows Redirector will handle the routing of information to and from the network share.

A security vulnerability exists in the implementation of the Windows Redirector on Windows XP because an unchecked buffer is used to receive parameter information. By providing malformed data to the Windows Redirector, an attacker could cause the system to fail, or if the data was crafted in a particular way, could run code of the attacker's choice.

Mitigating factors: 

Severity Rating: 

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0004 

Tested Versions:

Microsoft tested Windows XP to assess whether it is affected by these vulnerabilities. Windows NT 4.0, Windows NT 4.0, Terminal Server Edition, and Windows 2000 do not contain the code in question and are not affected by this vulnerability.

What's the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could cause the system to fail, or could cause code of the attacker's choice to be executed with system privileges. Code running with system privileges could provide the attacker with the ability to take any desired action on the machine, such as adding, deleting, or modifying data on the system, and creating or deleting user accounts.

The vulnerability could only be exploited by an attacker who had valid credentials to interactively log onto the computer.

What causes the vulnerability?
The vulnerability results because of an unchecked buffer in the Windows Redirector function on Windows XP.

What is the Windows Redirector?
The Windows Redirector is a component of Windows XP that is used by a Windows client to access files, whether local or remote, regardless of the underlying network protocols in use. For example, the "Add a Network Place" Wizard or the NET USE command can be used to map a network share as a local drive, and the Windows Redirector will handle the routing of information to and from the network share.

What's wrong with the Windows Redirector?
There is a flaw in the way the Windows Redirector command handles the information passed to it. If an overly long parameter were passed to the Windows Redirector, it could overrun the buffer allocated for receiving the information.

What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to cause Windows XP to fail, or to run code of the attacker's choice with additional privileges on the system.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by logging on to a Windows XP and running a program that called the Windows Redirector and provided specially malformed parameter information. For example, the attacker could write a program to make the call, or could use a program such as NET USE which employs the Windows Redirector. If the malformed parameter information were particularly crafted, it could be possible to execute code of the attacker's choosing with system privileges.

What is the NET USE command used for?
The NET USE command is used to connect a computer to, or disconnect from, a shared network resource. NET USE can also display information about a computer's current connections.

For example, if a directory were shared as DirA from a computer named ComputerA the following NET USE command would map the shared directory to the N: drive.

NET USE N: \\ComputerA\DirA

The NET USE command can only be run in a Command Prompt window, invoked by Start | Run, or as part of a batch file.

Could this vulnerability be exploited remotely?
No, calls to the Windows Redirector may only be made locally. As a result, an attacker would need to log on to the system using an interactive logon in order to attempt to exploit this vulnerability.

What systems would be at greatest risk from this vulnerability?
Only Windows XP workstations that would allow an attacker to log on interactively would be affected by this vulnerability. A Windows XP system that was not shared with other users would not be able to be attacked using this vulnerability.

Could I accidentally make the system fail because of this vulnerability?
No. The specially malformed parameter data that would need to be passed to the Windows Redirector could not be provided by accident.

What does the patch do?
The patch addresses the vulnerability by correctly handling the parameter information passed to the Windows Redirector.

Download locations for this patch

Installation platforms:

This patch can be installed on systems running Windows XP Gold and Windows XP Service Pack 1.

Inclusion in future service packs:

The fix for this issue will be included in Windows XP Service Pack 2.

Reboot needed: Yes

Patch can be uninstalled: Yes

Superseded patches: None.

Verifying patch installation: 

•

Windows XP Gold: To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q810577 To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q810577\Filelist

•

Windows XP Service Pack 1: To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q810577 To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q810577\Filelist

Caveats:

None

Localization:

Localized versions of this patch are available at the locations discussed in "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

•	Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
•	Patches for consumer platforms are available from the WindowsUpdate web site

Top of section