Title: Q311967: Unchecked buffer in the Multiple UNC Provider
Could Enable Code Execution
Date: 04 April 2002
- - Microsoft Windows NT 4.0 Workstation
- - Microsoft Windows NT 4.0 Server
- - Microsoft Windows NT 4.0 Server, Enterprise Edition
- - Microsoft Windows NT 4 Terminal Server Edition
- - Microsoft Windows 2000 Professional
- - Microsoft Windows 2000 Server
- - Microsoft Windows 2000 Advanced Server
- - Microsoft Windows XP Professional
Impact: Local privilege elevation and run code of attacker's
Recommendation: Administrators should consider applying the patch to
machines that allow unprivileged users to log onto them interactively
such as workstations and Terminal Servers.
Max Risk: Moderate
Bulletin: MS02-017

Microsoft encourages customers to review the Security Bulletin at:
- -
- ----------------------------------------------------------------------

The Multiple UNC Provider (MUP) is a Windows service that assists in
locating network resources that are identified via UNC (uniform
naming convention). The MUP receives commands containing UNC names from
applications and sends the name to each registered UNC provider, LAN Manager workstation, and any others that are installed. When a provider identifies a UNC name as its own, the MUP automatically redirects future instances of that name to that provider.

When MUP requests a file using the uniform naming convention (UNC), it
will allocate a buffer to store this request. There is proper input
checking in this first buffer. However, MUP stores another copy of
the file request in a buffer when it sends this request to a redirector. This second copy of the buffer does not check inputs correctly, thereby creating the possibility that a resource request to it from an unprivileged process could cause a buffer overrun. The overrun could be exploited for either of two purposes: causing a system failure, or running code on the system with Local System privileges.

Mitigating Factors:
- The MUP request can only be levied by a process on the local
system. As a result, the vulnerability could only be exploited by a user who could log onto an affected system interactively.
- On Windows 2000 systems, the vulnerability could not reliably be
used to run code. This is because the attacker would need to know where the buffer was located in memory, but in Windows 2000 this is not externally discoverable or controllable.
- Best practices suggests that unprivileged users not be allow to
interactively log onto business-critical servers. If this
recommendation has been followed machines such as domain controllers, ERP servers, print and file servers, database servers, and others would not be at risk from this vulnerability.

Risk Rating:
- Internet systems: Low
- Intranet systems: Moderate
- Client systems: Moderate

Patch Availability:
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
for information on obtaining this patch.

- NSFOCUS at http://www.nsfocus.com