[NT] New Attack Vectors and a Vulnerability Dissection of MS03-007
From: firstname.lastname@example.org To: email@example.com Date: 23 Mar 2003 16:19:03 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or firstname.lastname@example.org
- - - - - - - - -
New Attack Vectors and a Vulnerability Dissection of MS03-007
The patch announced by Microsoft on 17 March 2003 fixed a security
vulnerability in the core of the Windows 2000 operating system. This flaw
was actively being exploited through WebDAV requests to Microsoft's
Internet Information Server 5. It must be stressed that IIS was simply the
attack vector; the method or route used to actually exploit the flaw. The
problem, however, is much wider in scope than just simply machines running
IIS. Researchers at NGSSoftware have isolated many more attack vectors
including java based web servers and other non-WebDAV related issues in
IIS. Due to this, NGSSoftware urge Windows 2000 users to apply the patch.
As far as the IIS vector is concerned, WebDAV requests do not limit the
length of the file name being requested. When processing a WebDAV based
request, whether the method used is PROPFIND, LOCK, SEARCH or even GET
with the "Translate: f" header, the request is passed through a series of
functions, one of these being GetFileAttributesExW. Under the hood of
GetFileAttributesExW is a call to the RtlDosPathNameToNtPathName_U
function exported by ntdll.dll. This is where the actual vulnerability
RtlDosPathNameToNtPathName_U relies on unsigned shorts for string lengths.
As unsigned shorts are 16 bits in size, they can hold a number from 0 to
65535. If a string is 65536 bytes long, then the length of the string is
considered as being 1 byte long - whereas in fact the string is
considerably longer. Due to this reliance on unsigned shorts, the
vulnerability exists. GetFileAttributesExW is not the only function that
There are many:
As can be seen most of these functions deal with the file system, and for
a piece of software to be a "suitable" attack vector an attacker must be
able to supply an arbitrarily long string to any one of these functions.
Then other functions in different DLL's also rely on
These are some of the other DLLs that import this function:
Security researchers at NGSSoftware have already discovered several new
attack vectors and believe there will be many that will become known over
the next few weeks. There are too many ways for an attacker to "access"
the vulnerability. Likely areas will be Non-MS Web and FTP servers, IMAP
servers, Anti-Virus solutions and other MS Windows Services. Consequently,
NGSSoftware believes that every Windows 2000 server or workstation should
be patched, and patched as soon as possible - regardless of whether the
box is running IIS or not.
Patch (All except Japanese NEC):
Patch (Japanese NEC):
The information has been provided by <mailto:email@example.com> David
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: firstname.lastname@example.org
In order to subscribe to the mailing list, simply forward this email to: email@example.com
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.