6th Apr 2003 [SBWID-6107]
COMMAND
	Microsoft Windows XP Redirector Local Buffer Overflow Vulnerability
SYSTEMS AFFECTED
	 Microsoft Windows XP
	 Microsoft Windows XP SP1
PROBLEM
	 -----BEGIN PGP SIGNED MESSAGE-----
	Hash: SHA1
	NSFOCUS Security Advisory(SA2003-01)
	Topic:  Microsoft  Windows   XP   Redirector   Local   Buffer   Overflow
	Vulnerability
	Release Date: 2003-3-27
	CVE CAN ID: CAN-2003-0004
	
	Affected system:
	===================
	
	 - - Microsoft Windows XP
	 - - Microsoft Windows XP SP1
	
	Summary:
	=========
	
	NSFOCUS Security Team has  found  a  buffer  overflow  vulnerability  in
	Microsoft Windows XP  Redirector.  Exploiting  the  vulnerability  local
	attackers could crash the system  or  gain  local  system  privilege  by
	carefully crafted code.
	
	Description:
	============
	
	The Windows Redirector  is  used  to  access  files,  whether  local  or
	remote.It is used to access network shares by net use command.
	A security vulnerability exists in the  Windows  Redirector  on  Windows
	XP.An unchecked length in handling the  received  parameter  information
	causes a buffer overflow vulnerability. Exploiting the  vulnerability  a
	non-privileged user could cause system blue screen and  reboot.  If  the
	code was carefully crafted, attackers could  execute  arbitrary  command
	in system privilege. At present no remote exploitation method  has  been
	found.
	Only Windows XP is vulnerable to the issue. Windows NT 4.0,  Windows  NT
	4.0 Terminal Server  Edition,  and  Windows  2000  do  not  contain  the
	vulnerable code and are not affected by this vulnerability.
	
	Exploit:
	==========
	
	Enter the following command as a  non-privileged  user  in  the  command
	line window:
	
	c:\> net use \\AAAA...AAA[about 1000-2000 'A' characters]\A
	
	Windows XP will become blue screen or reboot immediately.
	Note: Attackers have to be able to login interactively.
SOLUTION
	
	Workaround:
	===========
	
	 Prohibit untrusted user login to your system.
	
	Vendor Status:
	==============
	
	Microsoft has issued  a  Security  Bulletin(MS03-005)  and  the  related
	patch.
	Detailed Microsoft Security Bulletin is available at:
	
	http://www.microsoft.com/technet/security/bulletin/ms03-005.asp
	
	Patches are available at:
	. Microsoft Windows XP 32-bit Edition:
	
	http://microsoft.com/downloads/details.aspx?FamilyId=33DABD1F-505E-48ED-B9BD-CDAC0F8A2BC1
	
	. Microsoft Windows XP 64-bit Edition:
	
	http://microsoft.com/downloads/details.aspx?FamilyId=A2258F4E-9A69-4537-9469-0DDEB4BB76F8
	
	
	Additional Information:
	========================
	The Common Vulnerabilities and Exposures (CVE) project has assigned the
	name CAN-2003-0004 to this issue. This is a candidate for inclusion in the
	CVE list (http://cve.mitre.org), which standardizes names for security
	problems. Candidates may change significantly before they become official
	CVE entries.
	DISCLAIMS:
	==========
	THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
	OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
	EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS
	BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
	INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
	EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
	DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE
	ADVISORY IS NOT MODIFIED IN ANY WAY.
	Copyright 1999-2003 NSFOCUS. All Rights Reserved. Terms of use.
	NSFOCUS Security Team <[email protected]>
	NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
	(http://www.nsfocus.com)
	PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc
	Key fingerprint = F8F2 F5D1 EF74 E08C 02FE  1B90 D7BF 7877 C6A6 F6DA
	-----BEGIN PGP SIGNATURE-----
	Version: GnuPG v1.0.7 (GNU/Linux)
	iD8DBQE+gqok1794d8am9toRApqxAJwMtZqaVys339PPHkRjUcvmLkh5fgCePqE0
	q704B7gafnFoyZW+4w3auwI=
	=wAjk
	-----END PGP SIGNATURE-----