[NT] Vulnerability in NNTP Allows Remote Code Execution (MS04-036)

• Previous message: SecuriTeam: "[NT] Cumulative Security Update for Internet Explorer (MS04-038)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 13 Oct 2004 18:32:15 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Vulnerability in NNTP Allows Remote Code Execution (MS04-036)
------------------------------------------------------------------------

SUMMARY

A remote code execution vulnerability exists within the Network News
Transfer Protocol (NNTP) component of the affected operating systems. This
vulnerability could potentially affect systems that do not use NNTP. This
is because some programs that are listed in the affected software section
require that the NNTP component be enabled before you can install them.

DETAILS

Vulnerable Systems:
 * Microsoft Windows NT Server 4.0 Service Pack 6a -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=0126B7AC-9C78-45C5-8AC7-E0E8CA4B6DEE> Download the update
 * Microsoft Windows 2000 Server Service Pack 3 and Microsoft Windows 2000
Server Service Pack 4 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=54A86560-4A0C-4E2F-A137-D8EE905A674A> Download the update
 * Microsoft Windows Server 2003 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=DCB1CB73-A426-40D8-BD14-B458C7915815> Download the update
 * Microsoft Windows Server 2003 64-Bit Edition -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=1A8C4D7A-2F85-4CDD-8CC9-E2E1817403DF> Download the update
 * Microsoft Exchange 2000 Server Service Pack 3 (Uses the Windows 2000
NNTP component)
 * Microsoft Exchange Server 2003 and Microsoft Exchange Server 2003
Service Pack 1 (Uses the Windows 2000 or Windows Server 2003 NNTP
component)

Immune Systems:
 * Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
 * Microsoft Windows 2000 Professional Service Pack 3 and Microsoft
Windows 2000 Professional Service Pack 4
 * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service
Pack 2
 * Microsoft Windows XP 64-Bit Edition Service Pack 1
 * Microsoft Windows XP 64-Bit Edition Version 2003
 * Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME)
 * Microsoft Exchange Server 5.0 Service Pack 2
 * Microsoft Exchange Server 5.5 Service Pack 4

Affected Components:
 * Microsoft Windows NT Server 4.0 Service Pack 6a NNTP component
 * Microsoft Windows 2000 Server Service Pack 3 NNTP component and
Microsoft Windows 2000 Server Service Pack 4 NNTP component
 * Microsoft Windows Server 2003 NNTP Component
 * Microsoft Windows Server 2003 64-Bit Edition NNTP Component

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0574>
CAN-2004-0574

 * Firewall best practices and standard default firewall configurations
can help protect networks from attacks that originate outside the
enterprise perimeter. Best practices recommend that systems that are
connected to the Internet have a minimal number of ports exposed. If the
affected NNTP Ports (119 and 563) are blocked at the firewall, external
attacks attempting to exploit this vulnerability could be blocked.

 * Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 are
at a reduced risk from this vulnerability because the affected component
is not installed by default. Even if Internet Information Services is
installed, the affected component is not installed by default. An
administrator must manually install the affected component for a system to
become vulnerable to this issue.

 * Exchange 2000 Server and Exchange Server 2003 require the installation
of the affected operating system component. However upon installation,
Exchange Server 2003 disables the affected operating system component.
Exchange Server 2003 requires an administrator to manually re-enable this
component to become vulnerable to this issue. Exchange 2000 Server does
not disable this component by default when it is installed. However, if an
administrator manually disables this component after installing Exchange
Server 2000, the system is not vulnerable to this issue. Best practice
recommendations for helping to secure Exchange 2000 Server include
disabling the affected operating system component. For more information
about how to help secure Exchange 2000 Server, visit the following
<http://www.microsoft.com/technet/security/guidance/secmod43.mspx> Web
site.

Workarounds for NNTP Vulnerability
 * Block the following at the firewall:
   * UDP ports 119 and 563
   * TCP ports 119 and 563

 These ports are used to initiate a connection with a NNTP server.
Blocking them at the firewall will help prevent systems that are behind
that firewall from attempts to exploit this vulnerability. Also, make sure
that you block any other specifically configured NNTP ports on the system.
We recommend that you block all unsolicited inbound communication from the
Internet to help prevent attacks that may use other ports. For more
information about the ports that NNTP uses, visit the following
<http://go.microsoft.com/fwlink/?LinkId=21312> Web site. Port 563 is the
default port that NNTP uses to perform Secure Sockets Layer (SSL)
connections.

 * Enable advanced TCP/IP filtering on systems that support this feature.
You can enable advanced TCP/IP filtering to block the affected ports and
to block all unsolicited inbound traffic. For more information about how
to configure TCP/IP filtering, see Microsoft Knowledge Base Article
<http://support.microsoft.com/default.aspx?scid=kb;en-us;309798> 309798.

 * Block the affected ports by using IPSec on the affected systems.
Use Internet Protocol security (IPSec) to help protect network
communications. Detailed information about IPSec and how to apply filters
is available in Microsoft Knowledge Base Articles
<http://support.microsoft.com/default.aspx?scid=kb;en-us;313190> 313190
and <http://support.microsoft.com/?id=813878> 813878.

 * Remove or disable NNTP if you do not need it:
In many organizations, NNTP only provides services for legacy systems. If
you no longer need NNTP, you could remove it by following these steps.
These steps apply only to Windows 2000 and later versions. For Windows NT
4.0, follow the procedure that is included in the product documentation.
NNTP is a required component for Exchange 2000 Server and Exchange Server
2003. However, while NNTP may not be removed on Exchange servers, it can
be disabled. NNTP is disabled by default on Exchange 2003. To help secure
Exchange 2000 systems, follow the <Securing Exchange 2000 Server>
Securing Exchange 2000 Server best practice recommendations instead of
these instructions.

To remove NNTP components and services:

   * In Control Panel, click Add or Remove Programs.
   * Click Add/Remove Windows Components.
   * On the Windows Components Wizard page, under Components, click
Internet Information Services (IIS), and then click Details.
   * Click to clear the Network News Transfer Protocol Service (NNTP)
check box to remove NNTP.
   * Complete the Windows Components Wizard by following the instructions
on the screen.

Impact of Workaround: NNTP services will no longer function. Any
applications or services that require NNTP may fail. Administrators should
not remove NNTP unless they fully understand the affect that doing so will
have on their network. For more information about NNTP, see the
<http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/standard/proddocs/en-us/nntp_administration.asp?frame=true> NNTP product documentation.

FAQ for NNTP Vulnerability
What is the scope of the vulnerability ?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system, including installing programs; viewing,
changing, or deleting data; or creating new accounts that have full
privileges. This vulnerability could potentially affect systems that do
not use NNTP. This is because some programs that are listed in the
affected software section require that the NNTP component be enabled
before you can install them.

What causes the vulnerability ?
An unchecked buffer in the Network News Transfer Protocol (NNTP)
component.

What is the Network News Transfer Protocol (NNTP) component ?
The NNTP component provides a service that enables the distribution,
retrieval, and posting of news articles among the Internet community. NNTP
is designed so that news articles are stored in a central database
allowing a subscriber to select only those items that they want to read.
For more information about NNTP, see the
<http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/standard/proddocs/en-us/nntp_administration.asp?frame=true> NNTP product documentation. NNTP is defined in Request for Comment (RFC) documents <http://www.ietf.org/rfc/rfc977.txt> 977 and <http://www.ietf.org/rfc/rfc2980.txt> 2980.

What might an attacker use the vulnerability to do ?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.

Who could exploit the vulnerability ?
Any anonymous user who could deliver a specially crafted message to the
affected system could attempt to exploit this vulnerability.

How could an attacker exploit the vulnerability ?
An attacker could exploit the vulnerability by creating a specially
crafted message and sending the message to an affected system, which could
then cause the affected system to execute code.

An attacker could also access the affected component through another
vector. For example, an attacker could log on to the system interactively
or by using another program that passes parameters to the vulnerable
component (locally or remotely).

What systems are primarily at risk from the vulnerability ?
Windows 2000 Professional (all versions), and Windows XP (all versions)
are not affected by this vulnerability. The affected component is not
supported on these operating system versions.

Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 are at
a reduced risk from this vulnerability because the affected component is
not installed by default. Even if Internet Information Services (IIS) is
installed, the affected component is not installed by default.

Exchange 2000 servers and systems that have manually enabled NNTP are
primarily at risk from this vulnerability. Exchange 2000 Server and
Exchange Server 2003 require the installation of the affected operating
system component. However upon installation, Exchange Server 2003 disables
the affected operating system component. Exchange Server 2003 requires an
administrator to manually re-enable this component to become vulnerable to
this issue. Exchange 2000 Server does not disable this component by
default when it is installed. However, if an administrator manually
disables this component after installing Exchange Server 2000, the system
is not vulnerable to this issue. Best practice recommendations for helping
to secure Exchange 2000 Server include disabling the affected operating
system component. For more information about how to help secure Exchange
2000 Server, visit the following
<http://www.microsoft.com/technet/security/guidance/secmod43.mspx> Web
site.

I use Windows NT Server 4.0 Terminal Server Edition Service Pack 6. Could
I be affected by this vulnerability ?
No. The NNTP component ships as part of the Windows NT 4.0 Option Pack.
The Windows NT 4.0 Option Pack is not supported on this operating system
version. For more information, see Microsoft Knowledge Base Article
<http://support.microsoft.com/?kbid=190157> 190157.

If NNTP is installed and running, is it vulnerable ?
Yes, except for the Exchange 5.5 Server version of the NNTP Component.

Is Exchange 5.5 Server affected by this vulnerability ?
Exchange 5.5 Server and Exchange 5.0 Server are not affected by this
vulnerability. Their implementation of NNTP is independent of the
implementation in other affected software versions.

Could the vulnerability be exploited over the Internet ?
Yes. An attacker may be able to exploit this vulnerability over the
Internet.

I visit news servers frequently from my home computer. Does this
vulnerability affect me ?
No. It only affects servers that offer NNTP services; it does not affect
the client systems that visit them.

What does the update do ?
The update removes the vulnerability by modifying the way that the NNTP
component validates the length of a message before it passes the message
to the allocated buffer.

When this security bulletin was issued, had this vulnerability been
publicly disclosed ?
No. Microsoft received information about this vulnerability through
responsible disclosure. Microsoft had not received any information
indicating that this vulnerability had been publicly disclosed when this
security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited ?
No. Microsoft had not received any information indicating that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.

ADDITIONAL INFORMATION

The information has been provided by Microsoft Product Security.
The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/MS04-036.mspx>
http://www.microsoft.com/technet/security/bulletin/MS04-036.mspx
The original article can be found at:
<http://www.securiteam.com/windowsntfocus/6T00C0UBGU.html>
http://www.securiteam.com/windowsntfocus/6T00C0UBGU.html

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Cumulative Security Update for Internet Explorer (MS04-038)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]