CVE-2005-0551

CVE-2005-0551 is privilege elevation vulnerability. On successful exploitation of this vulnerability attacker could take complete control over the attacked system and can behave as normal as the administrator on the machine.

Privilege can be defined as the process of verifying the permissions before allowing doing something (accessing protected resources). User provides some identity for validation. In case of Windows, the logged in user credentials can be an identity to provide access to the resources (say kernel functions).

The act of gaining the access to the protected resources from the application user by exploiting the bug or design flaws in the software application is normally referred as the privilege escalation.

Privilege elevation is a special kind of privilege escalation referred as vertical privilege escalation. In this process a low privileged user access the resources of the high privileged user. The example of one such is, the terminal user of the server doing install/ uninstall of the programs on the machine that he logged in. The product bug may grant higher permissions than the user meant for when providing a specially crafted input to the applications. Buffer/ stack overflow can also leads to this kind of attack.

CVE-2005-0551:

An application that provides console window information with a long FaceName value may cause buffer overflow in WINSRV.dll in csrss.exe process. Attacker can exploit this vulnerability by specially designing an application that causes buffer overflow and gain the elevated permissions.

CVE (Common Vulnerabilities and exposures) provides the following description for the CVE-2005-0551. “Stack-based buffer overflow in Winsrv.dll in the client server runtime system process of Windows NT4 operating systems allows local users to gain privileges via a specially designed application that provides console window information with a long FaceName value”.

CSRSS:

Client/ Server runtime subsystem (csrss.exe) is a Microsoft Windows NT operating system component. CSRSS provides user mode side of the win32 subsystem and is mainly responsible for Win32 console applications and threading.

Buffer Overflow vulnerability:

Whenever a program attempts to store data beyond the boundaries of a fixed-length buffer, the data is overwritten into the adjacent memory locations. Some times it may overwrite the adjacent buffers and some times variables and in the worst the program flow which may cause a process to crash or produce incorrect results. The buffer overrun may trigger the execution of some malicious code if the attacker designed the input in such a format to do so.

Stack based exploitation:

Overflowing the stack by passing the arguments of size greater than the size of the variable allocated in the stack segment we could do that. By doing brute force attack on this at some point we could hit the system command and the parameter values that are passed to the function could actually a program or a pointer to a function that contains some malicious code.

Scale and scope of the vulnerability:

The attacker can explore this vulnerability if he has at least local user permissions on the machine that he wants to attack. Unless he log on to the machine he cannot explore the vulnerability. The terminal users where kept for public access etc. are mostly exposed to the attacker. Attacker could not attack the machine through Internet or from some other remote location. He needs to be the local user of that machine. Anonymous user cannot exploit this vulnerability as he cannot access the machine and log in to the machine and run the crafted application.

To explore the vulnerability attacker first needs to log in the machine with his credentials on the machine. Then he needs to run a specially designed application to explore the vulnerability. This stack based vulnerability can be exposed by crashing the csrss.exe process and also supplying FaceName of length greater than 32bytes.

Once the attack is successful, the attacker gets the complete control over the machine. He can act as the administrator of that machine. He is free to add new programs, remove programs, add new users to the machine group, remove the existing users, alter the permissions of the users, remove the critical data in the machine, adds the malicious content to the existing data and so on. Mitigating/ resolving this vulnerability is very important as the impact of this would be huge on the servers those act as the server for the terminal clients.

The factor that the remote users cannot explore this vulnerability of course reduces the surface area of the vulnerability but the issue is very important from the security concern.

Microsoft Systems it effects:

The exploit can happen in the following Microsoft Systems Windows 2000, Windows XP Sp1, Windows XP Sp2, and Windows Server 2003.

This vulnerability is not exposed in windows vista, windows server 2008 and Windows 7 operating systems though the csrss.exe process runs on those machines.

Level of threat posed by this vulnerability to Microsoft Systems:

Attacker can exploit this vulnerability and gain unauthorized access to the resources of the machine. Once the exploitation succeed he can gain full access to the machine, and now he is free to alter the machine configuration, and settings. He can add new users to the machine group, remove the users from the group and cause denial of service attack (as the authenticated users no more used the services provided by the system), add new programs (these programs can be sniffers that sends the user secret data to the attacker by listening them secretly), remove installed programs, access the key files and deletes those, access the database and remove the database that resides in the machine.

How does the exploit function?

Attacker should log into the terminal that he has access to, by providing the credentials (local user credentials, who has limited access). He then runs a specially designed application to exploit the vulnerability with his credentials. The application is designed such that it causes stack overflow in winsrv.dll in csrss.exe process. After running the application successfully, attacker gains complete control over the targeted machine.

How is the exploit code delivered to the target system?

This attack cannot be performed remotely. It does mean that attacker cannot be one of the Internet user or remote user. The system cannot be affected because of connecting to the Internet. This attack is possible if the attacker is a local (limited access) user of the targeted machine. The intention of the attack is to gain unauthorized access on the resources that he does not have access permissions. The exploit code will be delivered to the target system by copying the specially crafted application from any removable media or from mail attachment. Attacker he himself knowing will do this to gain the control over the targeted machine.

Manage/ mitigate this vulnerability:

This vulnerability can be mitigated by downloading and installing the updates available at the following location (http://www.microsoft.com/technet/security/bulletin/ms05-018.mspx). One of the common guidelines to follow are that always turn on automatic updates, so that the new updates will be automatically downloaded and installed from Microsoft.

Limiting the user accounts only to the authenticated users can mitigate the problem though not completely. The servers do not have problem unless non-administrative access permission is given to login the server and running the programs. This is not the recommended best practice guidance for configuring the server.

Restricting console access at the risky terminals can mitigate the problem and reduce the surface area of the problem. This is a tradeoff between the capability we provide and the security that we want to provide.

References:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0551

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=230

http://en.wikipedia.org/wiki/Privilege_escalation

http://www.watchguard.com/infocenter/editorial/135144.asp

CVE-2005-0551 vulnerability is because of the exploit of the stack based buffer overflow in winsrv.dll in the client server runtime system (csrss) process of Windows NT4 (Microsoft server 2000, Windows XP (SP1 and SP2), windows server 2003) systems. Attacker exploits the vulnerability of the targeted system and gets unauthorized access to the resources on that machine.

Running the specially designed application to exploit the vulnerability of the Windows NT4 systems (mentioned above) and gaining access to the unauthorized resources for that user is nothing but the privilege elevation.

Privilege elevation is a type of privilege escalation and the Wikipedia definition of privilege elevation is “A lower privileged user accesses functions, and other resources such as files etc reserved for higher privilege users”. The lower privilege users of the targeted system exploit the vulnerability and try gaining the control over the resources of the administrator of the machine or he can see the contents of other users which he is not supposed to do.

On successful exploitation, the local unauthorized user (non-admin) can access the system drive, add/ remove programs, start new process, alter the configuration, add new accounts for that machine, remove the users, changes the access rights of the machines, changes the user privileges and so on.

It is often people design applications that accepts input from the user through console (by entering the text input), i.e. is a character based user interface. Win32 API (application program interface) offers this and the code to run this feature resides in csrss process, a core system process. This process manages Microsoft client/ server runtime server subsystem.

Winsrv.dll file is responsible for creating/ deleting, managing the console windows. The code in this dill manages these operations. Winsrv.dll contains the win32 user routines and graphic engine routines (GDI). On selecting the properties item from the system Menu of a console window, CONSOLE_STATE_INFO structure (a data structure that contains the information about the console window properties) will be copied into the file-mapping object. This structure contains a null terminated string specifying the name of the font, FaceName[32]. This string is copied it in to a fixed size stack buffer without any sanity checking. Wcscpy() function do the copy operation. By supplying a string longer than 32 bytes, the attack can be explored (It is nothing but the stack based buffer overflow attack).

Once the attack is successful the targeted system will be fully compromised and the attacker gains the access right (full permissions) on all kinds of resources that are available to the administrator of the box.

Now he can add, remove the programs, install sniffers (spywares to listen other user activities), delete the sensitive content in the system, add the new users in to the system (he can create a new account for himself as the administrator on the box so that he need not do the same attack for gaining the control again), he can disable the other user accounts so that they cannot access their accounts, remove permissions of other users ion certain resources and so on.

The scope of the vulnerability is high as the non-admin user can get administrative permission of the targeted system. Once an unauthorized user gets access permissions the system can be said as compromised and every possible attack is now possible on that system. The system is no more secure to use and is highly recommended to not to use. Also it is hard for the administrator to find it out that the system is compromised unless he sees some damage happen. In the mean time the attacker can listen the other sessions of the authenticated users by installing the spy ware.
The attack is not possible from the Internet or from some other remote locations. The attack will only happen if the user is in the local user group of that machine (i.e. user should have some level of access on that machine). Unauthorized users, those who cannot login to the machine cannot exploit the attack and compromise the system. Attacker cannot load/ run the program remotely by exploiting this vulnerability.

Attacker who wants to exploit the vulnerability at first needs to login with his credentials and then run specially designed application for the attack (the font name value should be more than 32 bytes to cause the stack overflow , this is the field that needs to be build to gain the control over the machine). On successful exploitation, attacker gains the control over the targeted machine. Servers those provide terminal client sessions are most prone to this attack than the normal servers and client configurations.

The machines that are exposed to the attack are:

Windows server 2003

Windows server 2000

Microsoft Windows XP 32 bit edition (SP1 and Sp2) and

The version of ntoskrnl.exe is less than 5.1.2600.2622 and is the one not installed the patch KB890851.

Microsoft released a new patch (hotfix) for this problem. The windows machines that are exposed to this attack should install the patch KB890851 to mitigate the problem.

This update removes the vulnerability by modifying the way the messages validations happening before they pass them to the required components.

The best practices to follow to avoid these kinds of attacks are:

Keep patches up-to-date i.e. always turning on windows updates and allow installing the new security updates. Need to set the configuration settings aggressively such that though they limit the functionality of the user the system will be more secure.

Restrict console access on public terminals where security is a concern.
This can be accomplished by creating the following registry key:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System

Add a DWORD named DisableCMD with the value "1" to disable command
prompt and batch files or the value "2" to disable command prompt but
allow batch files.

http://www.microsoft.com/technet/security/bulletin/ms05-018.mspx

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=230

http://en.wikipedia.org/wiki/Privilege_escalation

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0551

http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1822

https://downloads.bsi-fuer-buerger.de/produkte/bosscd/boss2/doc/mitre/CAN/2005/0551.html

http://www.vupen.com/english/Reference-CVE-2005-0551.php