[NT] Vulnerability in DHCP Allows Remote Code Execution and DoS (MS04-042, Logging, Request)

From: SecuriTeam (support_at_securiteam.com)
Date: 12/15/04

Next message: SecuriTeam: "[NT] Vulnerability in WINS Allows Remote Code Execution (MS04-045, Name Validation, Association Context)"

Previous message: SecuriTeam: "[NT] Vulnerability In HyperTerminal Allows Code Execution (MS04-043)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 15 Dec 2004 16:51:00 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Vulnerability in DHCP Allows Remote Code Execution and DoS (MS04-042,
Logging, Request)
------------------------------------------------------------------------

SUMMARY

An attacker who successfully exploited the most severe of these
vulnerabilities could take complete control of an affected system,
including installing programs; viewing, changing, or deleting data; or
creating new accounts that have full privileges. However, attempts to
exploit these vulnerabilities would most likely result in a denial of
service of the Dynamic Host Configuration Protocol (DHCP) Server service.

DETAILS

Vulnerable Systems:
* Microsoft Windows NT Server 4.0 Service Pack 6a -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=7CC7F82D-F2A2-49AA-BF33-897498898EAD> Download the update
* Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
-
<http://www.microsoft.com/downloads/details.aspx?FamilyId=69F3259F-3004-462C-B2A8-37F65EB78A2D> Download the update

Immune Systems:
* Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000
Service Pack 4
* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service
Pack 2
* Microsoft Windows XP 64-Bit Edition Service Pack 1
* Microsoft Windows XP 64-Bit Edition Version 2003
* Microsoft Windows Server 2003
* Microsoft Windows Server 2003 64-Bit Edition
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME)

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0899>
CAN-2004-0899 - Logging Vulnerability
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0900>
CAN-2004-0900 - DHCP Request Vulnerability

Logging Vulnerability - CAN-2004-0899
A denial of service vulnerability exists that could allow an attacker to
send a specially crafted DHCP message to a DHCP server. An attacker could
cause the DHCP Server service to stop responding.

Mitigating Factors for Logging Vulnerability
* The DHCP Server service is not installed by default.
* The DHCP Client service is not vulnerable to this issue.
* DHCP Logging is not enabled by default. Only DHCP servers that have
enabled DHCP Logging would be vulnerable to this issue.
* Firewall best practices and standard default firewall configurations
can help protect networks from attacks that originate outside the
enterprise perimeter. Best practices recommend that systems that are
connected to the Internet have a minimal number of ports exposed.

Workarounds for Logging Vulnerability
* Disable DHCP Logging
You can help protect against attacks that attempt to exploit this
vulnerability by disabling the DHCP Logging feature. To disable this
feature, perform the following steps:
   * Start the DHCP Manager.
   * Click the DHCP server where you want to enable logging.
   * Click Server, and then click Properties.
   * Click to clear the Enable DHCP Logging check box.
   * Restart the DHCP Server service or restart the affected system.

For more information, see <http://support.microsoft.com/kb/164524>
Microsoft Knowledge Base Article 164524.

Impact of Workaround: DHCP Logging features are disabled. It is not
possible to track activity logs until this feature is enabled.

* Block UDP port 67 and UDP port 68 at your firewall
These ports are used to initiate a connection with a DHCP server. Blocking
these ports at the firewall will help prevent systems that are behind that
firewall from being attacked by attempts to exploit this vulnerability. It
is possible that other ports may be found that could be used to exploit
this vulnerability. The ports that are listed are the most common attack
vectors. We recommend that you block all inbound unsolicited communication
from the Internet.

* Move DHCP Services to Windows 2000 Server or a later version
Later versions of the DHCP Server service, such as those that are provided
as part of Windows 2000 Server or Windows Server 2003 are not vulnerable
to this issue. Note Windows NT 4.0 Server is nearing the end of its
support life cycle on December 30, 2004. For more information about the
Windows Product Lifecycle, visit the following
<http://go.microsoft.com/fwlink/?LinkId=21742> Microsoft Support Lifecycle
Web site.

FAQ for Logging Vulnerability
What is the scope of the vulnerability ?
Under the most likely attack scenario this is a denial of service
vulnerability. An attacker who successfully exploited this vulnerability
could cause the DHCP Server service to fail. Restarting the DHCP Server
service will allow the service to function correctly. However, the DHCP
Server service could remain vulnerable to another denial of service
attack.

What causes the vulnerability ?
An unchecked buffer in the method that DHCP uses to validate a value from
specially crafted network packets.

What is DHCP ?
Dynamic Host Configuration Protocol (DHCP) is an IP standard that is
designed to reduce the complexity of administering address configurations.
DHCP does this by using a server computer to centrally manage IP addresses
and other related configuration details used on your network. Windows NT
4.0 Server provides the DHCP Server service, which enables the server
computer to perform as a DHCP Server and to provide configuration settings
to DHCP-enabled client computers on your network as described in the DHCP
IETF <http://www.faqs.org/rfcs/rfc2131.html> RFC 2131.

What might an attacker use the vulnerability to do ?
An attacker who successfully exploited this vulnerability could most
likely cause DHCP to stop responding to all requests.

Who could exploit the vulnerability ?
Any anonymous user who could deliver a specially crafted message to the
affected system could attempt to exploit this vulnerability.

How could an attacker exploit the vulnerability ?
An attacker could exploit this vulnerability by creating a program that
could communicate with a vulnerable server through DHCP to send a specific
kind of specially crafted DHCP message. Receipt of such a message could
cause the vulnerable service to fail in such a way that it could cause a
denial of service for that service.

What systems are primarily at risk from the vulnerability ?
Only Windows NT 4.0 Server systems that have been configured as DHCP
servers with DHCP logging enabled are vulnerable.

Could the vulnerability be exploited over the Internet ?
Yes. An attacker could attempt to exploit this vulnerability over the
Internet. Firewall best practices and standard default firewall
configurations can help protect against attacks that originate from the
Internet. Microsoft has provided information about how you can help
protect your PC. IT Professionals can visit the
<http://go.microsoft.com/fwlink/?LinkId=21171> Security Guidance Center
Web site.

What does the update do ?
The update removes the vulnerability by modifying the way that the DHCP
Server service validates the length of a message before it passes the
message to the allocated buffer.

When this security bulletin was issued, had this vulnerability been
publicly disclosed ?
No. Microsoft received information about this vulnerability through
responsible disclosure. Microsoft had not received any information
indicating that this vulnerability had been publicly disclosed when this
security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited ?
No. Microsoft had not received any information indicating that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.

DHCP Request Vulnerability - CAN-2004-0900
A remote code execution vulnerability exists that could allow an attacker
to send a specially crafted DHCP message to a DHCP server. However,
attempts to exploit this vulnerability would most likely result in a
denial of service of the DHCP Server service.

Mitigating Factors for DHCP Request Vulnerability
* The DHCP Server service is not installed by default.
* The DHCP Client service is not vulnerable to this issue.
* Firewall best practices and standard default firewall configurations
can help protect networks from attacks that originate outside the
enterprise perimeter. Best practices recommend that systems that are
connected to the Internet have a minimal number of ports exposed.

Workarounds for DHCP Request Vulnerability
* Block UDP port 67 and UDP port 68 at your firewall
These ports are used to initiate a connection with a DHCP server. Blocking
these ports at the firewall will help prevent systems that are behind that
firewall from being attacked by attempts to exploit this vulnerability. It
is possible that other ports may be found that could be used to exploit
this vulnerability. The ports that are listed are the most common attack
vectors. We recommend that you block all inbound unsolicited communication
from the Internet.

FAQ for DHCP Request Vulnerability
What is the scope of the vulnerability ?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system, including installing programs; viewing,
changing, or deleting data; or creating new accounts that have full
privileges. However, under the most likely attack scenario this is a
denial of service vulnerability. An attacker who successfully exploited
this vulnerability could cause the DHCP Server service to fail. Restarting
the DHCP Server service will allow the service to function correctly.
However, the DHCP Server service could remain vulnerable to another denial
of service attack.

What causes the vulnerability ?
An unchecked buffer in the method that DHCP users validate a value from
specially crafted network packets.

What might an attacker use the vulnerability to do ?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.

Who could exploit the vulnerability ?
Any anonymous user who could deliver a specially crafted message to the
affected system could attempt to exploit this vulnerability.

What systems are primarily at risk from the vulnerability ?
Only Windows NT 4.0 Server systems that have been configured as DHCP
servers are vulnerable.

ADDITIONAL INFORMATION

The information has been provided by Microsoft Product Security.
The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/MS04-042.mspx>
http://www.microsoft.com/technet/security/bulletin/MS04-042.mspx

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[NT] Vulnerability in WINS Allows Remote Code Execution (MS04-045, Name Validation, Association Context)"

Previous message: SecuriTeam: "[NT] Vulnerability In HyperTerminal Allows Code Execution (MS04-043)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[NT] Unchecked Buffer in Content Management Server Could Enable Server Compromise
... Server product that simplifies developing and managing e-business web ... At least one web page included with MCMS 2001 passes ... an attacker to overrun the buffer. ... vulnerability would be to either cause MCMS to fail, ...
(Securiteam)
[NT] Malformed Mail Attribute Causes Exchange 2000 to Exhaust CPU Resources
... To support the exchange of mail with heterogeneous systems, ... A security vulnerability results because it is possible for an attacker to ... server would remedy the denial of service. ...
(Securiteam)
[NT] Unchecked Buffer in Network Share Provider Can Lead to Denial of Service
... SMB (Server Message Block) is the protocol Microsoft uses to share files, ... The attacker could use both a user account and anonymous access to ... What's the scope of the vulnerability? ...
(Securiteam)
[NT] Unchecked Buffer in MDAC Function Could Enable SQL Server Compromise
... A security vulnerability results because the MDAC functions ... SQL Server service to take actions dictated by the attacker. ...
(Securiteam)
Alert: Microsoft Security Bulletin MS04-042 - Vulnerability in DHCP Could Allow Remote Code Executio
... Microsoft Security Bulletin MS04-042: ... Impact of Vulnerability: Remote Code Execution ... Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 ... A denial of service vulnerability exists that could allow an attacker to send a specially crafted DHCP message to a DHCP server. ...
(NT-Bugtraq)