[NT] Services for UNIX 2.0 Suffer from a Remotely Triggered Memory Leak

From: support@securiteam.com
Date: 07/28/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NT] Services for UNIX 2.0 Suffer from a Remotely Triggered Memory Leak
Message-Id: <20010728151829.38525138BF@mail.der-keiler.de>
Date: Sat, 28 Jul 2001 17:18:29 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com

  Services for UNIX 2.0 Suffer from a Remotely Triggered Memory Leak
------------------------------------------------------------------------

SUMMARY

Among the components provided by Services for UNIX (SFU) 2.0 are services
that implement the NFS (Network File System) and Telnet protocols. Both
services contain memory leaks that could be triggered by a user request.
An attacker who repeatedly sent such a request could deplete the kernel
memory on the server to the point where performance slowed and the system
could potentially fail.

DETAILS

Affected software:
 * Microsoft Services for UNIX 2.0

Mitigating factors:
 - Only the implementations provided in SFU 2.0 are affected. In
particular, the Telnet services provided in Windows NT 4.0 and Windows
2000 are not affected by the vulnerability.
 - There is no capability via the vulnerability to usurp any
administrative control over the server or compromise any data on it.

Patch availability:
Download locations for this patch
 * NFS patch:
Windows NT 4.0:
<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31600>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31600
Windows 2000:
<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31592>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31592
 * Telnet patch:
Windows NT 4.0:
<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31601>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31601
Windows 2000:
<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31595>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31595

How are the vulnerabilities discussed in this bulletin related to each
other?
The vulnerabilities are only related in the sense that both affect
services that are included in Services for UNIX 2.0. Microsoft has
packaged them together to make it more convenient for find and apply them.

What is Services for UNIX?
 <http://www.microsoft.com/windows2000/sfu/> Services for UNIX (SFU) is a
set of components that can be installed on Windows NT 4.0 or Windows 2000
and make it easy for customers to integrate Windows into their existing
UNIX environments. It provides Windows-based implementations of common
UNIX tools and services, as well as providing tools that enable
administrators to manage more easily heterogeneous networks.

What are the vulnerabilities?
There are two vulnerabilities:
 * A vulnerability that could enable an attacker to cause the NFS service
in SFU 2.0 to fail.
 * A vulnerability that could enable an attacker to cause the Telnet
service in SFU 2.0 to fail.

What's the scope of the first vulnerability?
This is a denial of service vulnerability. An attacker who successfully
exploited it could prevent an affected system from providing file-sharing
services, and potentially cause the system itself to fail and require
rebooting. It would not provide any means of usurping control over the
system, nor would it enable the attacker to compromise any of the files on
the server.

What causes the vulnerability?
The vulnerability results because the NFS service in SFU 2.0 contains a
memory leak. If a particular type of malformed were repeatedly sent to an
affected server, it could exhaust the memory on the server, potentially
causing the system to fail.

What is NFS?
Network File System (NFS) is an industry standard protocol, as defined in
RFC 1094, provides transparent, remote access to shared files across
networks. For instance, suppose that machines A, B and C all contained
data that was intended to be shared with all of the users on a network.
Using NFS, users would not need to know where the particular data resided
in order to navigate and use it. Instead, NFS would make it appear that
all of the data resided on a single, fictitious machine.

What's wrong with NFS service in SFU 2.0?
The NFS implementation in SFU 2.0 contains a memory leak that can be
triggered by a particular type of request to the service.

What's a memory leak?
A memory leak is a condition that occurs when a program does not properly
return memory to the operating system after its done using it. One of the
chief purposes of an operating system is to broker resources like memory
among competing programs. When a program needs memory to carry out an
operation, the operating system provides it; when the program no longer
needs it, it should release the memory so the operating system can
allocate it to another program.

A memory leak occurs when a programming flaw prevents the program from
returning the memory when it has done using it. Rather than being made
available to the operating system again, the memory remains allocated to
the other program even though it is no longer using it. If the leak occurs
enough times, it can deplete the pool of available memory on the server to
the point where the server becomes unresponsive or fails altogether.

What would this vulnerability enable an attacker to do?
An attacker could exploit this vulnerability as a means of preventing the
system from providing useful service to other users. Not only would the
memory leak prevent the NFS service from operating, it would slow the
overall performance of the system and could potentially cause it to fail
altogether.

What would be required in order to resume normal service?
The administrator would need to reboot the machine in order to free the
memory and resume normal operation.

Would the vulnerability allow the attacker to take any more serious
action?
No. Even though the vulnerability involves the NFS service, it would not
put any of the data in the file system at risk. The attacker could not use
the vulnerability to compromise any of the data, nor to gain any
privileges on the system.

Does the vulnerability affect any versions of SFU other than SFU 2.0?
No. It only affects the NFS service in SFU 2.0

How does the patch eliminate the vulnerability?
The patch causes the NFS service in SFU 2.0 to release all correctly
allocated memory when it has finished using it.

What's the scope of the second vulnerability?
This is a denial of service vulnerability. The scope of this vulnerability
is similar to that of the vulnerability discussed above:
 * An attacker who successfully exploited it would be able to disrupt
normal service on the system, including potentially causing it to fail.
 * The vulnerability would not provide the attacker with the ability to
usurp any kind of administrative control over the system.
 * An affected system could be put back into service by rebooting.

What causes the vulnerability?
The vulnerability results because the Telnet service in SFU 2.0 contains a
memory leak that could be used to slow the performance of the system or
cause it fail altogether.

Are there any differences between this vulnerability and the one affecting
the NFS service?
No. This vulnerability has exactly the same cause, effect, and remediation
as the one affecting the NFS service in SFU 2.0. The sole difference lies
in the specific services involved in the vulnerabilities.

Does this vulnerability affect the Telnet server that ships in Windows NT
4.0 or Windows 2000?
No. Both Windows NT 4.0 and Windows 2000 ship with a native Telnet server,
which is completely different from the one included in SFU 2.0. Neither
product is affected by this vulnerability.

How does the patch eliminate this vulnerability?
The patch eliminates the vulnerability by removing the memory leak
condition and ensuring that all memory is returned to the system when no
longer needed.

ADDITIONAL INFORMATION

The information has been provided by <mailto:secnotif@MICROSOFT.COM>
Microsoft Product Security and Peter Grundl.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages