[NT] Vulnerability in Windows Media Services Could Allow a DoS (MS04-008)

• Previous message: SecuriTeam: "[NT] Multiple WFTPD DoS Vulnerabilities (XeroxDocutech)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 10 Mar 2004 19:19:46 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Vulnerability in Windows Media Services Could Allow a DoS (MS04-008)
------------------------------------------------------------------------

SUMMARY

A vulnerability exists because of the way that Windows Media Station
Service and Windows Media Monitor Service, components of Windows Media
Services, handle TCP/IP connections. If a remote user were to send a
specially-crafted sequence of TCP/IP packets to the listening port of
either of these services, the service could stop responding to requests
and no additional connections could be made. The service must be restarted
to regain its functionality.

Windows Media Services is made up of Windows Media Services Administrator
and four Windows Media Services components running on a single computer:

By using Windows Media Unicast Service, Windows Media content can be
streamed over unicast, using either TCP or UDP as a transport, to
Microsoft Windows Media Player or to another Windows Media server.

Windows Media Station Service performs three key functions:
 * It arranges one or more streams of content (also known as a "playlist"
or "program") for subsequent streaming.

 * It multicasts the playlist or program to Windows Media Player or to
another Windows Media server.

 * It distributes the playlist or program locally to Windows Media Unicast
Service for subsequent unicasting to Windows Media Player or to another
Windows Media server.

Windows Media Program Service is a dependent service of Windows Media
Station Service. Windows Media Program Service helps the server
administrator build playlists of Windows Media content using Windows Media
Services Administrator and persist those playlists for future use.

Windows Media Monitor Service is the administrative console of Windows
Media Services.

Note Windows Media Unicast Service may also be affected by a successful
attack against Windows Media Station Service if Windows Media Unicast
Service is sourcing a playlist from Windows Media Station Service. In this
case, Windows Media Unicast Service could stop functioning when it
encounters the next item in the playlist. An administrator can stream
media by using Windows Media Unicast Service without a playlist.

DETAILS

Affected Software:
 * Microsoft Windows 2000 Server Service Pack 2, Microsoft Windows 2000
Server Service Pack 3, Microsoft Windows 2000 Server Service Pack 4 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=7F4C067C-5D34-48FB-A9FA-C2200243D4D2&displaylang=en> Download the update

Non Affected Software:
 * Microsoft Windows NT? Workstation 4.0 Service Pack 6a

 * Microsoft Windows NT Server 4.0 Service Pack 6a

 * Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6

 * Microsoft Windows 2000 Professional Service Pack 2, Microsoft Windows
2000 Professional Service Pack 3, Microsoft 2000 Professional Service Pack
4

 * Microsoft Windows XP, Microsoft Windows XP Service Pack 1

 * Microsoft Windows XP 64-Bit Edition Service Pack 1

 * Microsoft Windows XP 64-Bit Edition Version 2003

 * Microsoft Windows Server? 2003

 * Microsoft Windows Server 2003 64-Bit Edition

Mitigating factors:
The Windows Media Services component is not installed by default.
 * Windows Media Services can be configured to offer streaming media over
unicast only and would then not be affected by this vulnerability. This
configuration would mean that different media streams from the same server
could not be added into a playlist.

 * Microsoft recommends that customers enable Windows Media Unicast
Service only on Internet-facing sockets and ports and not the other
components of Windows Media Services. If this practice is followed, the
attack surface would not be exposed to the Internet.

 * Customers who administer their Windows Media Services servers directly
from the console or through a Terminal Services session are not affected
by any successful Denial of Service attempts against Windows Media Monitor
Service. Windows Media Monitor Service would not be accessible remotely,
only locally.

 * If you have disabled Windows Media Station Service and Windows Media
Monitor Service, you are not affected by this vulnerability.

Workarounds:
Microsoft has tested the following workarounds. These workarounds will not
correct the underlying vulnerability. However, they help block known
attack vectors. Workarounds may reduce functionality in some cases; in
such cases, the reduction in functionality is identified below.

 * Block ports 7007 and 7778 at your firewall.

If you do not stream media over TCP to the Internet, you can block TCP
port 7007. Also, block port 7778, which is used to administer Windows
Media Services through Windows Media Monitor Service. Windows Media
Services uses these ports. By blocking these ports at the firewall, you
can help prevent systems that are behind the firewall from being attacked
by attempts to exploit this vulnerability.

Impact of Workaround: If you block port 7007, you will prevent multicast
streams and the enabling of playlists from functioning across the
firewall. If you block port 7778, you will prevent administrative
functions from functioning across the firewall.

 * Administer your Windows Media Services from the console or through a
Terminal Services session.

Administer your Windows Media Services servers directly from the console
or through a Terminal Services session. If you do this, you will not be
affected by any successful denial of service attempts against Windows
Media Monitor Service. The reason for this is that the service can still
be accessed and used from the desktop of the system that is hosting
Windows Media Services even after a successful denial of service attack
has been taken place.

Impact of Workaround: None.

 * Stop, disable, or remove Windows Media Station Service.

Stop, disable, or remove Windows Media Station Service.

Impact of Workaround: Stopping, disabling, or removing Windows Media
Station Service will cause multicast streams or the enabling of playlists
to not function.

 * Disable or remove Windows Media Monitor Service.

Disable or remove Windows Media Monitor Service.

Impact of Workaround: Disabling or removing Windows Media Monitor Service
will prevent the possibility of administering Windows Media Services.

What's the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who successfully
exploited the vulnerability could cause Windows Media Station Service or
Windows Media Monitor Service running on a system that is running Windows
2000 Server to stop responding to new requests. For Windows Media Station
Service, the result would be that the service would not accept any new TCP
connections. New requests for media would not be serviced, nor would
subsequent items in a playlist be serviced. For of Windows Media Monitor
Service, the result would be that the service would not accept any new TCP
connections; however, the server administrator could use Terminal Services
to log on remotely and administer Windows Media Services.

What causes the vulnerability?
The vulnerability exists because the process by which Windows Media
Station Service and Windows Media Monitor Service validate TCP requests
could cause both services to stop accepting new connection requests.

What is Windows Media Services?
Windows Media Services is a Windows server component that enables content
to be streamed from a Windows Media server to Windows Media clients over
the Internet or over an intranet. Clients who receive the content can
render, as in play or display, it as it is being received without first
downloading the content.

What components are installed on my system when I install Windows Media
Services?
Windows Media Services is made up of four Windows services:

 * Windows Media Unicast Service. This service provides unicast streaming
over the Internet or over an intranet.

 * Windows Media Station Service. This service provides multicast
streaming. To be able to use multicast streaming, all routers between the
server and the client must have multicast enabled.

 * Windows Media Program Service. This service provides a sequential
program, or playlist, to Windows Media Station Service. Playlists can also
be used by Windows Media Unicast Service, which uses features in Windows
Media Station Service and Windows Media Program Service to operate.

 * Windows Media Monitor Service. This is a helper service to Windows
Media Services; it monitors client and server connections and is the
service through which Windows Media Services is administered.

What are the unicast and multicast methods of media streaming?
Unicast and multicast media streaming are methods of delivering media
content to clients across a network.
Unicast is a file transfer process where a separate copy of the data is
sent from the server to each client that requests it.
Multicast is a file transfer process where a single copy of the data is
sent, but all clients access that single stream in progress. Multiple
copies of data are not sent across the network. For more information about
multicast media streaming, see the Multicast Streaming with Windows Media
Services 4.1 Web site.

What might the vulnerability allow an attacker to do?
An unauthenticated attacker could send a specially-crafted sequence of
TCP/IP packets to the server, which could cause Windows Media Station
Service to stop accepting new requests. Windows Media Station Service
would still be able to stream media on TCP connections that have already
been made, but it would not accept new requests. New requests for media
would not be serviced. Requests for the next item in a playlist would also
not be serviced because they are essentially new requests.
To recover from this state, an administrator would have to restart the
service.

Who could exploit the vulnerability?
An unauthenticated attacker who could connect to Windows Media Station
Service or to Windows Media Monitor Service could exploit this
vulnerability by causing the services to stop responding to new requests.

What systems are primarily at risk from the vulnerability?
Apply this update to systems that have Windows Media Center Services for
Windows 2000 Server installed.

I am running Windows Media Services 4.1 on Windows NT4 Server. Am I
affected by this vulnerability?
No. Windows Media Services 4.1 (available for download for Windows NT4
Server) is not affected by this vulnerability.

What does the update do?
The update makes sure that Windows Media Station Service and Windows Media
Monitor Service correctly validate TCP requests.

ADDITIONAL INFORMATION

The information has been provided by Microsoft Product Security.

The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/MS04-008.mspx>
http://www.microsoft.com/technet/security/bulletin/MS04-008.mspx.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Multiple WFTPD DoS Vulnerabilities (XeroxDocutech)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]