[NT] Vulnerability in the Windows Internet Naming Service (WINS) Could Allow Code Execution (MS04-006)

From: SecuriTeam (support_at_securiteam.com)
Date: 02/11/04

  • Next message: SecuriTeam: "[NT] Microsoft ASN.1 Library Length Overflow And Bit String Heap Corruption" 
    To: list@securiteam.com
Date: 11 Feb 2004 14:40:25 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Vulnerability in the Windows Internet Naming Service (WINS) Could Allow
    Code Execution (MS04-006)
    ------------------------------------------------------------------------

    SUMMARY

    A security vulnerability exists in the Windows Internet Naming Service
    (WINS). This vulnerability exists because of the method that WINS uses to
    validate the length of specially-crafted packets. On Windows Server 2003
    this vulnerability could allow an attacker who sent a series of
    specially-crafted packets to a WINS server to cause the service to fail.
    Most likely, this could cause a denial of service, and the service would
    have to be manually restarted to restore functionality.

    The possibility of a denial of service on Windows Server 2003 results from
    the presence of a security feature that is used in the development of
    Windows Server 2003. This security feature detects when an attempt is made
    to exploit a stack-based buffer overrun and reduces the chance that it can
    be easily exploited. This security feature can be forced to terminate the
    service to prevent malicious code execution. On Windows Server 2003, when
    an attempt is made to exploit the buffer overrun, the security feature
    reacts and terminates the service. This results in a denial of service
    condition of WINS. Because it is possible that methods may be found in the
    future to bypass this security feature, which could then enable code
    execution, customers should apply the update. For more information about
    these security features, visit the following Web site.

    On Windows NT and Windows 2000, the nature of the vulnerability is
    slightly different. WINS will reject the specially-crafted packet and the
    attack does not result in a denial of service. The vulnerability on these
    platforms also does not allow code execution. Microsoft is releasing a
    security update for these platforms that corrects the vulnerable code as a
    preventive measure to help protect these platforms in case methods are
    found in the future to exploit this vulnerability.

    DETAILS

    Affected Software:
     * Microsoft Windows NT Server 4.0 Service Pack 6a -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=67F91E33-E2EC-4CE9-B55B-509240B1A973&displaylang=en> Download the update
     * Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
    -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=FCAF39A9-73BD-4B7F-9DC1-ACED9FE61852&displaylang=en> Download the update
     * Microsoft Windows 2000 Server Service Pack 2, Microsoft Windows 2000
    Server Service Pack 3, Microsoft Windows 2000 Server Service Pack 4 -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=FD38BD3F-2E56-45B8-B8B2-C5C798B0E70D&displaylang=en> Download the update
     * Microsoft Windows Server 2003 -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=AA95192E-5B0B-45F0-B4AE-E228B0625F2D&displaylang=en> Download the update
     * Microsoft Windows Server 2003 64-Bit Edition -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=6FD30C00-8D60-4CFD-A115-3708138F5B00&displaylang=en> Download the update

    Non Affected Software:
     * Microsoft Windows NT\x{00AE} Workstation 4.0 Service Pack 6a
     * Microsoft Windows 2000 Professional Service Pack 2, Microsoft Windows
    2000 Professional Service Pack 3, Microsoft Windows 2000 Professional
    Service Pack 4
     * Microsoft Windows XP, Microsoft Windows XP Service Pack 1
     * Microsoft Windows XP 64-Bit Edition, Microsoft Windows XP 64-Bit
    Edition Service Pack 1
     * Microsoft Windows XP 64-Bit Edition Version 2003, Microsoft Windows XP
    64-Bit Edition Version 2003 Service Pack 1

    Mitigating factors:
     * The WINS service is not installed by default.

     * On Windows Server 2003, WINS automatically restarts if it fails. After
    the third automatic restart, WINS requires a manual restart to restore
    functionality.

     * On Windows 2000 and Windows NT 4.0, WINS contains the vulnerable code.
    However, on these platforms this issue does not cause a denial of service

     * The vulnerability would not enable an attacker to gain any privileges
    on an affected system. Under the most likely attack scenario, this issue
    is strictly a denial of service.

     * Firewall best practices and standard default firewall configurations
    can help protect networks from remote attacks that originate outside the
    enterprise perimeter. Best practices recommend blocking all ports that are
    not being used. In most network configurations, the WINS server is not
    available for connection from over the Internet.

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0825>
    CAN-2003-0825.

    Workarounds:
    Microsoft has tested the following workarounds. These workarounds will not
    correct the underlying vulnerability. However, they help block known
    attack vectors. Workarounds may reduce functionality in some cases; in
    such cases, the reduction in functionality is identified below.

     1. Block TCP port 42 and UDP 137 at your firewall.
      These ports are used to initiate a connection with a remote WINS server.
    Blocking these ports at the firewall will help prevent systems that are
    behind that firewall from being attacked by attempts to exploit this
    vulnerability. It is possible that other ports may be found that could be
    used to exploit this vulnerability. The ports that are listed are the most
    common attack vectors. Microsoft recommends blocking all inbound
    unsolicited communication from the Internet.

     2. Remove WINS if you do not need it:
      In many organizations, WINS only provides services for legacy systems.
    If WINS is no longer needed, you could remove it by following this
    procedure. These steps apply only to Windows 2000 and later. For Windows
    NT 4.0, follow the procedure that is included in the product
    documentation.

      To configure WINS components and services:
       1. In Control Panel, open Add or Remove Programs.
       2. Click Add/Remove Windows Components.
       3. On the Windows Components Wizard page, under Components, click
    Networking Services, and then click Details.
       4. Click to clear the Windows Internet Naming Service (WINS) check box
    to remove WINS.
       5. Complete the Windows Components Wizard by following the instructions
    on the screen.

    Impact of Workaround:
    Many organizations require WINS to perform name registration and name
    resolution functions on their network. Administrators should not remove
    WINS unless they fully understand the affect that doing so will have on
    their network. For more information about WINS, see the WINS product
    documentation. Also, if an administrator is removing the WINS
    functionality from a server that will continue to provide shared resources
    on the network, the administrator must correctly reconfigure the system to
    use the remaining name resolution services within the local network.

    Frequently Asked Questions:
    What is the scope of the vulnerability?
    Under the most likely attack scenario this is a denial of service
    vulnerability on Windows Server 2003. An attacker who successfully
    exploited this vulnerability could cause WINS to fail on Windows Server
    2003. By default, WINS, restarts automatically when it fails in this
    manner. After the third automatic restart, WINS requires a manual restart
    to restore functionality. Restarting WINS will allow the service to
    function correctly. However, WINS would remain vulnerable to another
    denial of service attack.

    On Windows NT and Windows 2000, the nature of the vulnerability is
    slightly different. WINS will reject the specially-crafted packet and the
    attack does not result in a denial of service. The vulnerability on these
    platforms also does not allow code execution. Microsoft is releasing a
    security update for these platforms that corrects the vulnerable code as a
    preventive measure to help protect these platforms in case methods are
    found in the future to exploit this vulnerability.

    What causes the vulnerability?
    This vulnerability exists because of the method that WINS users to
    validate the length of specially-crafted packets.

    The possibility of a denial of service on Windows Server 2003 results from
    the presence of a security feature that is used in the development of
    Windows Server 2003. This security feature detects when an attempt is made
    to exploit a stack-based buffer overrun and reduces the chance that it can
    be easily exploited. This security feature can be forced to terminate the
    service to prevent malicious code execution. On Windows Server 2003, when
    an attempt is made to exploit the buffer overrun, the security feature
    reacts and terminates the service. This results in a denial of service
    condition of WINS. Because it is possible that methods may be found in the
    future to bypass this security feature, which could then enable code
    execution, customers should apply the update. For more information about
    these security features, visit the following Web site.

    What is the Windows Internet Naming Service?
    The Windows Internet Name Service (WINS) maps IP addresses to NetBIOS
    computer names and vice versa. By using WINS servers, individuals can
    search for resources by computer name instead of by IP address. The
    benefits of WINS include:

     * Reduces NetBIOS-based broadcast traffic on subnets by permitting
    clients to query WINS servers to locate remote systems.
     * Supports earlier Windows and NetBIOS-based clients on the network by
    permitting them to browse lists for remote Windows domains without
    requiring a local domain controller on each subnet.
     * Supports Domain Name System (DNS) based clients by enabling those
    clients to locate NetBIOS resources when WINS lookup integration is
    implemented.

    For more information about WINS, see the WINS product documentation.

    What might an attacker use the vulnerability to do?
    The vulnerability, if exploited, could allow an attacker to cause WINS on
    Windows Server 2003 to stop responding to all requests. On Windows NT 4.0
    and Windows 2000 WINS will reject the specially-crafted packet and the
    attack does not result in a denial of service.

    Who could exploit the vulnerability?
    Any anonymous user who could deliver a specially-crafted message to WINS
    on an affected server could attempt to exploit this vulnerability. Any
    user who could establish a connection with an affected system by using the
    affected ports could attempt to exploit this vulnerability.

    How could an attacker exploit this vulnerability?
    An attacker could seek to exploit this vulnerability by creating a
    specially-crafted network message and by sending the message to the
    affected system. On Windows Server 2003, receipt of such a message could
    cause the service to fail causing a denial of service.

    An attacker could also access the affected component through another
    vector, such as one that would involve logging onto the system
    interactively or by using another application that passed parameters to
    the vulnerable component (locally or remotely).

    What systems are primarily at risk from the vulnerability?
    Only Windows systems that have been configured as WINS servers are
    vulnerable. Windows NT 4.0 Workstation, Windows 2000 Professional, and
    Windows XP cannot be configured as WINS servers; therefore, these
    operating systems are not affected by this vulnerability.

    What does the update do?
    The update eliminates the vulnerability by changing the method that WINS
    uses to validate the length of a message before it passes the message to
    the allocated buffer.

    ADDITIONAL INFORMATION

    The information has been provided by Microsoft Product Security.

    The original article can be found at:
    <http://www.microsoft.com/technet/security/bulletin/MS04-006.asp>
    http://www.microsoft.com/technet/security/bulletin/MS04-006.asp.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Microsoft ASN.1 Library Length Overflow And Bit String Heap Corruption"

    Relevant Pages