MS Workstation Service Vulnerability

August 13, 2009

Microsoft Windows Workstation service is a new service added in Windows XP, Vista, Server 2003, and thereafter. It is started to notify selected users and administrators of administrative alerts automatically. If this service is disabled, any services that explicitly depend on it will fail to start.

The Workstation Service can be accessed through the DCE-RPC interface. And its numerous methods can be accessed by other processes through the Remote Procedure Call (RPC) interface (UUID: 6bffd098-a112-3610-9833-46c3f87e345a). The interface is accessible through several endpoints and transports such as "wkssvc". After the interface is successfully bound through a transport, the user is allowed to call the provided RPC methods.

The Workstation Service provides multiple methods through its RPC interface. The methods perform tasks such as user information queries, domain changes and additions among other things. A list of some of the supplied methods is shown below:

  • NetrGetJoinInformation
  • NetrJoinDomain2
  • NetrWkstaGetInfo
  • NetrWkstaSetInfo

The NetrGetJoinInformation method, which is listed above, is responsible for retrieving information about the workgroup or domain to which the specified computer is joined. According to MSDN Windows API definition, the syntax of NetrGetJoinInformation method is defined as bellow:

unsigned long NetrGetJoinInformation( [in, string, unique] WKSSVC_IMPERSONATE_HANDLE ServerName, [in, out, string] wchar_t** NameBuffer, [out] PNETSETUP_JOIN_STATUS BufferType );

A double free vulnerability exists in the vulnerable version of Microsoft Windows Workstation service. Specifically, the vulnerability is due to improper handling of the requests for the NetrGetJoinInformation method with a specially crafted NameBuffer value.

Remote authenticated attackers can exploit this vulnerability to inject arbitrary code and execute with the privileges of the affected service, which is SYSTEM by default.

SonicWALL UTM research team has released an IPS signature that will detect and block generic attack attempts addressing this issue. The IPS signature is listed as bellow:

  • 4288 MS Windows Workstation Service Memory Corruption Attempt (MS09-041)

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-1544. Microsoft has referred this vulnerability in its security advisory MS09-041.