We released security update MS12-054 to address four privately reported issues in Windows networking components failing to properly handle malformed Remote Administration Protocol (RAP) responses. The most severe of these issues, CVE-2012-1851, is a format string vulnerability in the printer spooler service while handling a response message and is a wormable-class vulnerability on Windows XP and Windows Server 2003. At least, sort of wormable. This blog post will explain the attack scenario and the limited affected platforms to help you assess the risk this vulnerability poses to your environment.

What is the RAP protocol?

Windows workgroups and domains maintain a lookup list of network resources such as printers, SQL servers, and file servers. Each time a new resource becomes available (such as a new printer being shared or a SQL Server booting up), the server hosting the resource notifies the subnet’s master browser (or backup browser). Any application or workstation that needs a specific type of resource can then query its subnet’s master browser or backup browser to respond with a list of resources of the requested type. The MSDN NetServerEnum documentation explains how an application can query the subnet browser for network resources and the type of resources available to be queried. Amongst other uses, the Remote Administration Protocol (RAP) is the protocol included with Windows to perform these types of administrative functions. 

Potential Attack Scenario

All four vulnerabilities addressed by MS12-054 are client-side parsing issues of malformed RAP responses. To trigger the vulnerability by sending a malicious response, an attacker would need to either act as a subnet’s browser or populate the legitimate master/backup browser’s lookup table with malformed records which would be relayed to clients when they request a resource of a certain type. Windows XP users face the most significant risk from these vulnerabilities, as indicated in the affected products chart at the end of this blog post. A commonly exercised user experience path that initiates a NetServerEnum call (and subsequent RAP request) is the Windows XP “View workgroup computers” link in the “My Network Places” dialog box, shown below:

 

How is this “wormable”?

In addition to the "My Network Places" user-initiated scenario above, several "on-by-default" scenarios also exist on Windows XP.  For example, winlogon initiates a request using this protocol to find domain controllers.  The client-side group policy component also initiates RAP requests to which a malicious subnet browser could return a malformed attack response.  CVE-2012-1851, as an example, involves the print spooler service on Windows XP and Windows Server 2003, a service that regularly polls/queries the subnet browser for a list of shared printers.  It would be "wormable" given the following conditions:

  • Victim workstations running Windows XP or Windows Server 2003
  • Attacker is capable of being elected master browser on the victim’s subnet
      OR
    Attacker is able to populate the real master browser’s printer list with a malformed record
      AND
    Print Browsing group policy option is enabled on the real master browser.
  • Workstation Service (LanMan) running on victim workstation.
  • Printer spooler service running on victim workstation.

Every two minutes, the victim’s print spooler service will call the NetServerEnum API to enumerate shared, available printers. This instructs the Workstation service to initiate a RAP request over SMB to the subnet's browser. The subnet browser could then potentially send back a malformed response which would be passed to the spooler service, triggering the vulnerability. The chart below describes the flow.

Affected Platforms

The affected platforms list is full of good news for customers that have migrated to newer versions of Windows. First, two of the vulnerabilities (CVE-2012-1852 and CVE-2012-1853) affect only Windows XP. The vulnerability affecting the Browser service (CVE-2012-1850) is rated Moderate on Vista and later platforms because the Browser service is off by default starting with Windows Vista. And, finally, the print spooler service code execution vulnerability (CVE-2012-1851) manifests only as a denial-of-service on Windows Vista and does not affect later platforms at all in their default configuration.

The table below summarizes the risk per platform:

  Windows XP Windows Server 2003 Windows Vista Windows 7 Windows Server 2008 & Windows Server 2008 R2
CVE-2012-1850 Denial of Service. Denial of Service. Not affected by default. (Browser service disabled) Not affected by default. (Browser service disabled) Not affected by default. (Browser service disabled)
CVE-2012-1851 Potential code execution as SYSTEM. Potential code execution as SYSTEM. Denial of Service. Not affected by default. (Browser service disabled) Not affected by default. (Browser service disabled)
CVE-2012-1852 Potential code execution as logged-on user or service account, depending on vector. Not affected. Not affected. Not affected. Not affected.
CVE-2012-1853 Potential code execution as logged-on user or service account, depending on vector. Not affected. Not affected. Not affected. Not affected.

We hope this information helps you assess the risk of this “sort of wormable” issue in your environment. Please let us know if you have any questions.

- Jonathan Ness, Neil Sikka, and Gangadhara Swamy, MSRC Engineering