COMMAND

	Multiple UNC Provider (MUP) overlong request kernel overflow

SYSTEMS AFFECTED

	 Microsoft Windows NT 4.0

	 Microsoft Windows 2000

	 Microsoft Windows XP

	

PROBLEM

	In    Nsfocus    Security    Team    [security@nsfocus.com]     advisory
	[http://www.nsfocus.com] :
	

	When applications  in  Microsoft  Windows  NT/2000/XP  system  send  UNC
	request(ie:  \\\\ip\\sharename)to  access  files  on  other  hosts,  the
	operation system would pass the request to be processed by Multiple  UNC
	Provider(MUP).  MUP  passes  the  request  to  several  redirectors  and
	subsequently  select  an  appropriate  redirector  according  to   their
	responds. MUP is implemented by mup.sys in kernel.
	

	When receiving a UNC file request, MUP first saves it  in  a  buffer  of
	the kernel, which has a size of  UNC  request  length  +  0x1000  bytes.
	Before sending the request to a redirector, MUP would  copy  it  to  the
	buffer again, attaching behind the original one. In case that  the  file
	request is longer than 0x1000 bytes,  it  would  overwrite  memory  data
	outside of the buffer. Usually, some management data structure would  be
	stored in the border of dynamic  allocated  memory.  An  attacker  might
	modify arbitrary kernel memory  content  by  overwriting  the  data  and
	waiting till the kernel malloc/free the memory.
	

	Exploiting this  vulnerability  successfully,  a  local  attacker  could
	obtain Local SYSTEM or any other priviledge.

SOLUTION

	Patches are available at:
	

	Microsoft Windows NT 4.0:
	

	http://www.microsoft.com/Downloads/Release.asp?ReleaseID=3D37630

	

	

	Microsoft Windows NT 4.0 Terminal Server Edition:
	

	http://www.microsoft.com/Downloads/Release.asp?ReleaseID=3D37652

	

	

	Microsoft Windows 2000:
	

	http://www.microsoft.com/Downloads/Release.asp?ReleaseID=3D37555

	

	

	Microsoft Windows XP:
	

	http://www.microsoft.com/Downloads/Release.asp?ReleaseID=3D37583