Microsoft Windows Plug and Play Remote Code Execution Vulnerability
Unintended Weakness: Buffer Overflow
2005 August 09 20:47 GMT
2005 August 24 20:12 GMT
Microsoft has released a security advisory stating that systems running Windows XP SP1 with Simple File Sharing enabled may be at increased risk of exploitation for the Windows Plug and Play remote code execution vulnerability.
Microsoft Windows 2000, XP and Server 2003 contain a vulnerability within the Plug and Play (PnP) service that could result in the execution of arbitrary code with elevated privileges.
The vulnerability exists in the Plug and Play service as a result of insufficient bounds checking of user-supplied data. On Windows 2000 and 2000 Server, an anonymous, remote or authenticated local attacker could exploit this vulnerability by submitting a malicious message to create a buffer overflow condition. The PnP service is restricted to locally authenticated users on Windows Server 2003 and Windows XP SP2. However, a remotely authenticated user could exploit Windows XP SP1 systems to execute arbitrary code with elevated privileges.
Exploit code is
Patches are available.
Systems running the following Microsoft products are vulnerable:
Microsoft Windows 2000 SP4 and prior Microsoft Windows XP SP1 and SP2 Microsoft Windows XP Professional x64 Edition Microsoft Windows Server 2003 SP1 or prior Microsoft Windows Server 2003 SP1 or prior for Itanium-based Systems Microsoft Windows Server 2003 x64 Edition
The fact that most enterprise networks block the exploitable ports (139/tcp and 445/tcp) helps mitigate the risk associated with this vulnerability. Allowing unfiltered inbound access to systems on these ports can allow for a misuse of production systems. Administrators should consider blocking untrusted networks accessing these ports.
Administrative users can remotely access the PnP service on Windows XP SP2 and Server 2003 machines. Due to the privileges imparted on administrators, exploitation of the issue in this manner is unlikely.
Administrators are advised to apply the appropriate updates during the next scheduled patch cycle. Windows 2000 systems accessible via untrusted networks or by untrusted users should apply the appropriate update
as soon as possible.
Exploit code is available for this vulnerability, and may increase the likelihood of an attack.
Reports indicate that malicious code exploiting this vulnerability has been found in the wild. Currently infection rates are low, but as new variants of the worms are produced the infection rate may increase. Cybertrust is reporting on the Zotob worm in alert 9591 and Sdbot in alert 4917.
Only Windows XP systems that are not members of a domain can enable Simple File Sharing.
Microsoft has released a security bulletin at the following link: MS05-39
Microsoft has released security advisories at the following links:899588 and 906574
US-CERT has released a technical cyber security alert and vulnerability note at the following link: TA05-221A and VU#998653
An attacker could execute arbitrary code with SYSTEM privileges.
To exploit this issue, an attacker could create a malicious message and submit it to a vulnerable PnP service. The vulnerability exists due to a buffer overflow condition that results from a lack of bounds checking of user-supplied input. An attacker able to trigger the vulnerability could create an exploitable buffer overflow condition that may allow the execution of arbitrary code with SYSTEM privileges.
When Simple File Sharing is enabled on Windows XP systems with SP1 installed, the Guest account is enabled by default. Windows XP systems using SP1 that are joined in a domain do not use Simple File Sharing. However, if the system used Simple File Sharing prior to joining a domain, the Guest
account may still be enabled. All remote users who access file shares on the system must use the Guest account. Since the Guest account allows remote authenticated access, there is an increased likelihood that an attacker could exploit these systems.
Administrators are advised to apply the appropriate patches.
Administrators are advised to restrict access to ports 139/tcp and 445/tcp to trusted users only.
Administrators are advised to enable local firewalls on individual hosts to screen TCP/IP traffic.
Administrators are advised to disable Simple File Sharing on Windows XP systems with SP1 installed.
Microsoft has released patches at the following links:
Version 4, August 15, 2005, 8:37 AM: Microsoft has re-released a security advisory to address malicious code exploiting the Microsoft Windows plug and play remote code execution vulnerability.
Version 3, August 12, 2005, 9:40 AM: Microsoft has released a security advisory to address publicly available exploit code for the Microsoft Windows plug and play remote code execution vulnerability.
Version 2, August 10, 2005, 10:21 AM: US-CERT has released a technical cyber security alert and vulnerability note to address the Microsoft Windows plug and play remote code execution vulnerability.
Version 1, August 9, 2005, 4:47 PM: The Microsoft Windows Plug and Play service contains a buffer
overflow vulnerability that could allow the execution of arbitrary code with elevated privileges. Patches are available.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.