Alert: Microsoft Security Bulletin - MS02-045

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 08/23/02

Date:         Thu, 22 Aug 2002 20:10:58 -0400
From: Russ <Russ.Cooper@RC.ON.CA>

Unchecked Buffer in Network Share Provider Can Lead to Denial of Service (Q326830)

Originally posted: August 22, 2002


Who should read this bulletin: Customers using Microsoft® Windows NT®, Windows® 2000 and Windows XP.

Impact of vulnerability: Denial of service.

Maximum Severity Rating: Moderate

Recommendation: Administrators should consider installing the patch.

Affected Software:
- Microsoft Windows NT 4.0 Workstation
- Microsoft Windows NT 4.0 Server
- Microsoft Windows NT 4.0 Server, Terminal Sever Edition
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Windows XP Professional

Technical description:

SMB (Server Message Block) is the protocol Microsoft uses to share files, printers, serial ports, and also to communicate between computers using named pipes and mail slots. In a networked environment, servers make file systems and resources available to clients. Clients make SMB requests for resources and servers make SMB responses in what described as a client server, request-response protocol.

By sending a specially crafted packet request, an attacker can mount a denial of service attack on the target server machine and crash the system. The attacker could use both a user account and anonymous access to accomplish this. Though not confirmed, it may be possible to execute arbitrary code.

Mitigating factors:
- An administrator can block this attack by turning off anonymous access. However, this does not prevent legitimate users from exploiting this vulnerability.
- An administrator can block access to SMB ports from untrusted networks. By blocking TCP ports 445 and 139 at the network perimeter, administrators can prevent this attack from untrusted parties. In a file and printing environment, this may not be a practical solution for legitimate users.
- An administrator can stop the Lanman server service which prevents the attack, but again may not be suitable on a file and print sharing server.

Vulnerability identifier: CAN-2002-0724

This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]

I can only hope that the information it does contain can be read well enough to serve its purpose.

Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

Relevant Pages

  • SecurityFocus Microsoft Newsletter #140
    ... Cafelog b2 Remote File Include Vulnerability ... Webfroot Shoutbox Remote Command Execution Vulnerability ... Pablo Software Solutions Baby POP3 Server Multiple Connection... ... Microsoft Windows XP Nested Directory Denial of Service... ...
  • SecurityFocus Microsoft Newsletter #71
    ... DaanSystems NewsReactor Password Encoding Vulnerability ... Microsoft Windows NT Inaccurate Login Logging Vulnerability ... Oracle RDBMS Server Default Account Vulnerability ... Avirt Gateway Suite Telnet Proxy Remote SYSTEM Access... ...
  • SecurityFocus Microsoft Newsletter #127
    ... TCPDump Malformed ISAKMP Packet Denial Of Service Vulnerability ... Apache Web Server MIME Boundary Information Disclosure... ... Microsoft Windows ME Help and Support Center Buffer Overflow... ... InstantServer ISMail Remote User Fields Buffer Overflow... ...
  • SecurityFocus Microsoft Newsletter #138
    ... Nessus LibNASL Arbitrary Code Execution Vulnerability ... Blackmoon FTP Server Username Information Disclosure... ... Microsoft Windows Media Player Automatic File Download and... ...
  • SecurityFocus Microsoft Newsletter #178
    ... Microsoft Windows XP explorer.exe Multiple Memory Corruption... ... W3C Jigsaw Unspecified Remote URI Parsing Vulnerability ... Working Resources BadBlue Server phptest.php Path Disclosure... ...