Re: MS03-043 Popup Messenger Servce buffer-overflow

From: Jean-Baptiste Marchand (Jean-Baptiste.Marchand_at_HSC.FR)
Date: 10/19/03

  • Next message: Vijay Ramcharan: "Patching and Scanning script available" 
    Date:         Sun, 19 Oct 2003 15:24:13 +0200
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    * Graham, Robert (ISS Atlanta) <rgraham@ISS.NET> [16/10/03 - 18:25]:

    > One of the interesting aspects of the Messenger bug is that the patch
    > disables the MS-RPC interface to the Messenger Service.

    Actually, the patch disables one of the two RPC interfaces that run in
    the Messenger service.

    The Messenger service runs two RPC services, that listen on the
    following endpoints:

    - \pipe\msgsvc named pipe (ncacn_np transport)
    - a dynamic UDP port (ncadg_ip_udp transport)

    Y:\>ifids -p ncacn_np -e \pipe\msgsvc \\.
    Interfaces: 42

    [...]

      17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0
      5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0

    Y:\>ifids -p ncadg_ip_udp -e 4870 127.0.0.1
    Interfaces: 42

    [...]

      17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0
      5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0

    The vulnerability found by LSD apparently affects the second interface,
    which contains only one operation, NetrSendMessage. Ethereal has a
    dissector for this interface:

    http://www.ethereal.com/cgi-bin/viewcvs.cgi/ethereal/packet-dcerpc-messenger.c

    The MS03-043 patch completely removes support of the NetrSendMessage
    API. The server stub support was removed from msgsvc.dll (messenger
    service), as well as the client stub support, from wkssvc.dll
    (workstation service).

    Jean-Baptiste Marchand 

    --
Jean-Baptiste.Marchand@hsc.fr
HSC - http://www.hsc.fr/
----
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
12/31/03 and cannot be used in combination with other offers.
----
  • Next message: Vijay Ramcharan: "Patching and Scanning script available"

    Relevant Pages

    • Re: How to bind messenger service on an interface?
      ... I do not believe the Messenger service itself binds to an interface or can ... Network or My Network Places properties to unbind those ... most frequently scanned ports.] ...
      (microsoft.public.security)
    • Re: Netdiag NetBT test
      ... check that Netbios over TCP/IP is enabled on the interface. ... check that the workstation and/or messenger service ... The WINS server is 2k. ...
      (microsoft.public.windows.server.networking)
    • How to bind messenger service on an interface?
      ... first of all sorry for my bad english, itīs not my native language. ... How can a bin the messenger service to an interface. ...
      (microsoft.public.security)