[NT] Vulnerability in WINS Allows Remote Code Execution (MS04-045, Name Validation, Association Context)

From: SecuriTeam (support_at_securiteam.com)
Date: 12/15/04

  • Next message: SecuriTeam: "[NT] Vulnerabilities in Windows Kernel and LSASS Allows Elevation of Privilege (MS04-044)"
    To: list@securiteam.com
    Date: 15 Dec 2004 17:07:24 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Vulnerability in WINS Allows Remote Code Execution (MS04-045, Name
    Validation, Association Context)
    ------------------------------------------------------------------------

    SUMMARY

    This update resolves several newly-discovered, public and privately
    reported vulnerabilities. An attacker who successfully exploited the most
    severe of these vulnerabilities could take complete control of an affected
    system, including installing programs; viewing, changing, or deleting
    data; or creating new accounts that have full privileges.

    DETAILS

    Affected Software:
     * Microsoft Windows NT Server 4.0 Service Pack 6a -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=38E9DB8C-5C43-4E9A-9DC9-97C2686A45F1> Download the update
     * Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
    -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=D7AB3F6F-26FE-4AE8-A07A-481D772D03A6> Download the update
     * Microsoft Windows 2000 Server Service Pack 3 and Microsoft Windows 2000
    Server Service Pack 4 -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=40146B52-5546-489E-857E-01FE1EF709B2> Download the update
     * Microsoft Windows Server 2003 -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=10836F38-A38B-47D5-B87B-18D8E26EEFAA> Download the update
     * Microsoft Windows Server 2003 64-Bit Edition -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=06CF9E85-C66D-4A7D-B2EB-99DE9423B60F> Download the update

    Non-Affected Software:
     * Microsoft Windows 2000 Professional Service Pack 3 and Microsoft
    Windows 2000 Professional Service Pack 4
     * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service
    Pack 2
     * Microsoft Windows XP 64-Bit Edition Service Pack 1
     * Microsoft Windows XP 64-Bit Edition Version 2003
     * Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
    Microsoft Windows Millennium Edition (ME)

    Name Validation Vulnerability:
    A remote code execution vulnerability exists in WINS because of the way
    that it handles computer name validation. An attacker could exploit the
    vulnerability by constructing a malicious network packet that could
    potentially allow remote code execution on an affected system. An attacker
    who successfully exploited this vulnerability could take complete control
    of an affected system.

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0567>
    CAN-2004-0567

    Mitigating Factors for Name Validation Vulnerability:
     * Firewall best practices and standard default firewall configurations
    can help protect networks from attacks that originate outside the
    enterprise perimeter. Best practices recommend that systems that are
    connected to the Internet have a minimal number of ports exposed.

     * By default, WINS is not installed on Windows NT Server 4.0, on Windows
    NT Server 4.0 Terminal Server Edition, on Windows 2000 Server, or on
    Windows Server 2003. By default, WINS is installed and running on
    Microsoft Small Business Server 2000 and on Microsoft Windows Small
    Business Server 2003.

     * However, by default, on all versions of Microsoft Small Business
    Server, the WINS component communication ports are blocked from the
    Internet and WINS is available only on the local network.

     * On Windows Server 2003, attempts to exploit this vulnerability would
    most likely result in a denial of service. The WINS service automatically
    restarts if it fails. After the third automatic restart, WINS requires a
    manual restart to restore functionality.

    Workarounds for Name Validation Vulnerability:
    Microsoft has tested the following workarounds. While these workarounds
    will not correct the underlying vulnerability, they help block known
    attack vectors. When a workaround reduces functionality, it is identified
    below.

     * Block TCP port 42 and UDP port 42 at your firewall.

    These ports are used to initiate a connection with a remote WINS server.
    Blocking these ports at the firewall will help prevent systems that are
    behind that firewall from being attacked by attempts to exploit this
    vulnerability. It is possible that other ports may be found that could be
    used to exploit this vulnerability. The ports that are listed are the most
    common attack vectors. We recommend blocking all inbound unsolicited
    communication from the Internet.

     * Remove WINS if you do not need it.

    In many organizations, WINS only provides services for legacy systems. If
    WINS is no longer needed, you could remove it by following this procedure.
    These steps apply only to Windows 2000 and later versions. For Windows NT
    4.0, follow the procedure that is included in the product documentation.

    To configure WINS components and services:

    1. Click Start, and then click Control Panel, open Add or Remove Programs.
    2. In the default Category View, click Add or Remove Programs.
    3. Click Add/Remove Windows Components.
    4. On the Windows Components Wizard page, under Components, click
    Networking Services, and then click Details.
    5. Click to clear the Windows Internet Naming Service (WINS) check box to
    remove WINS.
    6. Complete the Windows Components Wizard by following the instructions on
    the screen.

    Impact of Workaround:
    Many organizations require WINS to perform name registration and name
    resolution functions on their network. Administrators should not remove
    WINS unless they fully understand the affect that doing this will have on
    their network. For more information about WINS, see the WINS product
    documentation. Also, if an administrator is removing the WINS
    functionality from a server that will continue to provide shared resources
    on the network, the administrator must correctly reconfigure the system to
    use the remaining name resolution services within the local network. For
    more information about WINS visit the following Microsoft Web site. For
    more information about how to determine if you need NETBIOS or WINS name
    resolution and DNS configuration, visit the following Microsoft Web site.

     * On Windows 2000 Server and Windows Server 2003, use IPSec communication
    to secure traffic between WINS server replication partners.

    Use Internet Protocol Security (IPSec) to help protect network
    communications. For detailed information about how to use IPSec to help
    protect WINS from this issue, see Microsoft Knowledge Base Article 890710.

    Detailed information about IPSec and how to apply filters is available in
    Microsoft Knowledge Base Article 313190 and Microsoft Knowledge Base
    Article 813878.

    Impact of Workaround:
    If you set up IPSec incorrectly, you may cause serious WINS replication
    problems on your corporate network. For additional information about IPSec
    security considerations, visit the following Microsoft Web site.

    FAQ for Name Validation Vulnerability:
    What is the scope of the vulnerability?
    This is a remote code execution vulnerability. An attacker who
    successfully exploited this vulnerability could remotely take complete
    control of an affected system, including installing programs; viewing,
    changing, or deleting data; or creating new accounts that have full
    privileges.

    On Windows Server 2003, the most likely attack scenario is a denial of
    service. An attacker who successfully exploited this vulnerability could
    cause WINS to fail on Windows Server 2003. On Windows Server 2003, WINS
    restarts automatically when it fails. After the third automatic restart,
    WINS requires a manual restart to restore functionality. Restarting WINS
    allows the service to function correctly. However, WINS could remain
    vulnerable to another denial of service attack.

    What causes the vulnerability?
    An unchecked buffer in the method that WINS uses to validate the Name
    value in a specially-crafted packet.

    The possibility of a denial of service on Windows Server 2003 results from
    the presence of a security feature that was used in the development of
    Windows Server 2003. This security feature detects when an attempt is made
    to exploit a stack-based buffer overrun and reduces the chance that it can
    be easily exploited. This security feature can be forced to terminate the
    service to prevent malicious code execution. On Windows Server 2003, when
    an attempt is made to exploit the buffer overrun, the security feature
    reacts and terminates the service. This results in a denial of service
    condition of WINS. Because it is possible that methods may be found in the
    future to bypass this security feature, which could then enable code
    execution, customers should apply the update. For more information about
    these security features, visit the following Web site.

    What is the Windows Internet Naming Service?
    The Windows Internet Naming Service (WINS) maps IP addresses to NetBIOS
    computer names and vice versa. By using WINS servers, individuals can
    search for resources by computer name instead of by IP address. The
    benefits of WINS include the following:

     * Reduces NetBIOS-based broadcast traffic on subnets by permitting
    clients to query WINS servers to locate remote systems.

     * Supports earlier Windows and NetBIOS-based clients on the network by
    permitting them to browse lists for remote Windows domains without
    requiring a local domain controller on each subnet.

     * Supports Domain Name System (DNS)-based clients by enabling those
    clients to locate NetBIOS resources when WINS lookup integration is
    implemented.

    For more information about WINS, see the WINS product documentation.

    How do I know if I use WINS on my server?
    By default, WINS is not installed on Windows NT Server 4.0, on Windows NT
    Server 4.0 Terminal Server Edition, on Windows 2000 Server, or on Windows
    Server 2003. By default, WINS is installed and running on Microsoft Small
    Business Server 2000 and on Microsoft Windows Small Business Server 2003.
    You can determine if WINS is installed by following this procedure. These
    steps apply only to Windows 2000 and later versions. For Windows NT 4.0,
    follow the procedure that is included in the product documentation.

    To verify WINS components and services:

    1. Click Start, and then click Control Panel, open Add or Remove Programs.
    2. In the default Category View, click Add or Remove Programs.
    3. Click Add/Remove Windows Components.
    4. On the Windows Components Wizard page, under Components, click
    Networking Services, and then click Details.
    5. The Windows Internet Naming Service (WINS) check box indicates if WINS
    is installed.
    6. Click cancel several times to exit Add/Remove Windows Components.

    What might an attacker use the vulnerability to do?
    An attacker who successfully exploited this vulnerability could take
    complete control of the affected system. The vulnerability, if exploited,
    could allow an attacker to cause WINS on Windows Server 2003 to stop
    responding to all requests.

    Who could exploit the vulnerability?
    Any anonymous user who could deliver a specially-crafted message to WINS
    on an affected server could attempt to exploit this vulnerability. Any
    user who could establish a connection with an affected system by using the
    affected ports could attempt to exploit this vulnerability.

    How could an attacker exploit this vulnerability?
    An attacker could attempt to exploit this vulnerability by creating a
    specially-crafted network message and by sending the message to the
    affected system. On Windows Server 2003, receipt of such a message could
    cause the service to fail causing a denial of service.

    What systems are primarily at risk from the vulnerability?
    Only Windows systems that have been configured as WINS servers are
    vulnerable. Windows 2000 Professional and Windows XP cannot be configured
    as WINS servers. Therefore, these operating systems are not affected by
    this vulnerability.

    Could the vulnerability be exploited over the Internet?
    Yes. An attacker could attempt to exploit this vulnerability over the
    Internet. Firewall best practices and standard default firewall
    configurations can help protect against attacks that originate from the
    Internet. Microsoft has provided information about how you can help
    protect your PC. IT Professionals can visit the Security Guidance Center
    Web site.

    What does the update do?
    The update eliminates the vulnerability by changing the method that WINS
    uses to validate the name value before it passes the value to the
    allocated buffer.

    When this security bulletin was issued, had this vulnerability been
    publicly disclosed?
    No. Microsoft received information about this vulnerability through
    responsible disclosure. Microsoft had not received any information
    indicating that this vulnerability had been publicly disclosed when this
    security bulletin was originally issued.

    When this security bulletin was issued, had Microsoft received any reports
    that this vulnerability was being exploited?
    No. Microsoft had not received any information indicating that this
    vulnerability had been publicly used to attack customers and had not seen
    any examples of proof of concept code published when this security
    bulletin was originally issued.

    How does this vulnerability relate to the WINS Vulnerability that is
    corrected by MS04-006?
    Both vulnerabilities were in WINS. However, this update addresses a new
    vulnerability that was not addressed as part of MS04-006. MS04-006 helps
    protect against the vulnerability that is discussed in that bulletin, but
    does not address this new vulnerability. This update replaces MS04-006.
    You may install this update to help protect your system against both
    vulnerabilities.

    Association Context Vulnerability:
    A remote code execution vulnerability exists in WINS because of the way
    that it handles association context validation. An attacker could exploit
    the vulnerability by constructing a malicious network packet that could
    potentially allow remote code execution on an affected system. An attacker
    who successfully exploited this vulnerability could take complete control
    of an affected system. However, attempts to exploit this vulnerability
    would most likely result in a denial of service on Windows Server 2003.
    The service would have to be restarted to restore functionality.

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1080>
    CAN-2004-1080

    Mitigating Factors for Association Context Vulnerability:
    Firewall best practices and standard default firewall configurations can
    help protect networks from attacks that originate outside the enterprise
    perimeter. Best practices recommend that systems that are connected to the
    Internet have a minimal number of ports exposed.

     * By default, WINS is not installed on Windows NT Server 4.0, on Windows
    NT Server 4.0 Terminal Server Edition, on Windows 2000 Server, or on
    Windows Server 2003. By default, WINS is installed and running on
    Microsoft Small Business Server 2000 and on Microsoft Windows Small
    Business Server 2003.

    However, by default, on all versions of Microsoft Small Business Server,
    the WINS component communication ports are blocked from the Internet and
    WINS is available only on the local network.

     * On all affected operating systems, attempts to exploit this
    vulnerability would most likely result in a denial of service. On Windows
    Server 2003, the WINS service automatically restarts if it fails. After
    the third automatic restart, WINS requires a manual restart to restore
    functionality.

    Workarounds for Association Context Vulnerability:
    Microsoft has tested the following workarounds. While these workarounds
    will not correct the underlying vulnerability, they help block known
    attack vectors. When a workaround reduces functionality, it is identified
    below.

     * Block TCP port 42 and UDP port 42 at your firewall.

    These ports are used to initiate a connection with a remote WINS server.
    Blocking these ports at the firewall will help prevent systems that are
    behind that firewall from being attacked by attempts to exploit this
    vulnerability. It is possible that other ports may be found that could be
    used to exploit this vulnerability. The ports that are listed are the most
    common attack vectors. We recommend blocking all inbound unsolicited
    communication from the Internet.

     * Remove WINS if you do not need it.

    In many organizations, WINS only provides services for legacy systems. If
    WINS is no longer needed, you could remove it by following this procedure.
    These steps apply only to Windows 2000 and later versions. For Windows NT
    4.0, follow the procedure that is included in the product documentation.

    To configure WINS components and services:

    1. Click Start, and then click Control Panel, open Add or Remove Programs.
    2. In the default Category View, click Add or Remove Programs.
    3. Click Add/Remove Windows Components.
    4. On the Windows Components Wizard page, under Components, click
    Networking Services, and then click Details.
    5. Click to clear the Windows Internet Naming Service (WINS) check box to
    remove WINS.
    6. Complete the Windows Components Wizard by following the instructions on
    the screen.

    Impact of Workaround:
    Many organizations require WINS to perform name registration and name
    resolution functions on their network. Administrators should not remove
    WINS unless they fully understand the affect that doing this will have on
    their network. For more information about WINS, see the WINS product
    documentation. Also, if an administrator is removing the WINS
    functionality from a server that will continue to provide shared resources
    on the network, the administrator must correctly reconfigure the system to
    use the remaining name resolution services within the local network. For
    more information about WINS visit the following Microsoft Web site. For
    more information about how to determine if you need NETBIOS or WINS name
    resolution and DNS configuration, visit the following Microsoft Web site.

     * On Windows 2000 Server and Windows Server 2003, use IPSec communication
    to secure traffic between WINS server replication partners.

    Use Internet Protocol Security (IPSec) to help protect network
    communications. For detailed information about how to use IPSec to help
    protect WINS from this issue, see HYPERLINK
    "http://support.microsoft.com/kb/890710"Microsoft Knowledge Base Article
    890710.

    Detailed information about IPSec and how to apply filters is available in
    Microsoft Knowledge Base Article 313190 and Microsoft Knowledge Base
    Article 813878.

    Impact of Workaround:
    If you set up IPSec incorrectly, you may cause serious WINS replication
    problems on your corporate network. For additional information about IPSec
    security considerations, visit the following Microsoft Web site.

    FAQ for Association Context Vulnerability:
    What is the scope of the vulnerability?
    This is a remote code execution vulnerability. An attacker who
    successfully exploited this vulnerability could remotely take complete
    control of an affected system, including installing programs; viewing,
    changing, or deleting data; or creating new accounts that have full
    privileges. On Windows Server 2003, the most likely attack scenario is a
    denial of service. On Windows Server 2003 WINS restarts automatically when
    it fails. After the third automatic restart, WINS requires a manual
    restart to restore functionality. Restarting WINS allows the service to
    function correctly. However, WINS would remain vulnerable to another
    denial of service attack.

    What causes the vulnerability?
    The method used by WINS to validate association context data.

    What is the Windows Internet Naming Service?
    The Windows Internet Naming Service (WINS) maps IP addresses to NetBIOS
    computer names and vice versa. By using WINS servers, individuals can
    search for resources by computer name instead of by IP address. The
    benefits of WINS include the following:

     * Reduces NetBIOS-based broadcast traffic on subnets by permitting
    clients to query WINS servers to locate remote systems.

     * Supports earlier Windows and NetBIOS-based clients on the network by
    permitting them to browse lists for remote Windows domains without
    requiring a local domain controller on each subnet.

     * Supports Domain Name System (DNS)-based clients by enabling those
    clients to locate NetBIOS resources when WINS lookup integration is
    implemented.

    For more information about WINS, see the WINS product documentation.

    How do I know if I use WINS on my server?
    By default, WINS is not installed on Windows NT Server 4.0, on Windows NT
    Server 4.0 Terminal Server Edition, on Windows 2000 Server, or on Windows
    Server 2003. By default, WINS is installed and running on Microsoft Small
    Business Server 2000 and on Microsoft Windows Small Business Server 2003.
    You can determine if WINS is installed by following this procedure. These
    steps apply only to Windows 2000 and later versions. For Windows NT 4.0,
    follow the procedure that is included in the product documentation.

    To verify WINS components and services:

    1. Click Start, and then click Control Panel, open Add or Remove Programs.
    2. In the default Category View, click Add or Remove Programs.
    3. Click Add/Remove Windows Components.
    4. On the Windows Components Wizard page, under Components, click
    Networking Services, and then click Details.
    5. The Windows Internet Naming Service (WINS) check box indicates if WINS
    is installed.
    6. Click cancel several times to exit Add/Remove Windows Components.

    What is the association context?
    The association context is a data structure that WINS maintains to store
    connection information about WINS replication partners.

    What is wrong with the way that WINS validates the association context?
    It is possible for an attacker to send a specially-crafted packet that has
    invalid association context data. WINS uses this data without completely
    validating it. This leads to a condition that most likely results in the
    WINS service failing.

    What might an attacker use the vulnerability to do?
    An attacker who successfully exploited this vulnerability could take
    complete control of the affected system. However, the most likely result
    could allow an attacker to cause WINS to stop responding to all requests
    on Windows Server 2003.

    Who could exploit the vulnerability?
    Any anonymous user who could deliver a specially-crafted message to WINS
    on an affected server could attempt to exploit this vulnerability. Any
    user who could establish a connection with an affected system by using the
    affected ports could attempt to exploit this vulnerability.

    How could an attacker exploit this vulnerability?
    An attacker could attempt to exploit this vulnerability by creating a
    specially-crafted network message and by sending the message to the
    affected system. Receipt of such a message could cause the service, most
    likely, to fail causing a denial of service.

    What systems are primarily at risk from the vulnerability?
    Only Windows systems that have been configured as WINS servers are
    vulnerable. Windows 2000 Professional and Windows XP cannot be configured
    as WINS servers. Therefore, these operating systems are not affected by
    this vulnerability.

    Could the vulnerability be exploited over the Internet?
    Yes. An attacker could attempt to exploit this vulnerability over the
    Internet. Firewall best practices and standard default firewall
    configurations can help protect against attacks that originate from the
    Internet. Microsoft has provided information about how you can help
    protect your PC. IT Professionals can visit the Security Guidance Center
    Web site.

    What does the update do?
    The update eliminates the vulnerability by changing the method that WINS
    uses to validate the association context before use.

    When this security bulletin was issued, had this vulnerability been
    publicly disclosed?
    Yes. This vulnerability has been publicly disclosed. It has been assigned
    Common Vulnerability and Exposure number CAN-2004-1080. However, Microsoft
    also received information about this vulnerability through responsible
    disclosure and that researcher has received acknowledgment in this
    security bulletin.

    When this security bulletin was issued, had Microsoft received any reports
    that this vulnerability was being exploited?
    No. Microsoft had seen examples of proof of concept code published
    publicly but had not received any information to indicate that this
    vulnerability had been publicly used to attack customers when this
    security bulletin was originally issued.

    Does applying this security update help protect customers from the code
    that has been published publicly that attempts to exploit this
    vulnerability?
    Yes. This security update addresses the vulnerability that is currently
    being exploited. The vulnerability that has been addressed has been
    assigned the Common Vulnerability and Exposure number CAN-2004-1080.

    How does this vulnerability relate to the WINS Vulnerability that is
    corrected by MS04-006?
    Both vulnerabilities were in WINS. However, this update addresses a new
    vulnerability that was not addressed as part of MS04-006. MS04-006 helps
    protect against the vulnerability that is discussed in that bulletin, but
    does not address this new vulnerability. This update replaces MS04-006.
    You may install this update to help protect your system against both
    vulnerabilities.

    ADDITIONAL INFORMATION

    The information has been provided by Microsoft Product Security.
    The original article can be found at:
    <http://www.microsoft.com/technet/security/bulletin/MS04-045.mspx>
    http://www.microsoft.com/technet/security/bulletin/MS04-045.mspx

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Vulnerabilities in Windows Kernel and LSASS Allows Elevation of Privilege (MS04-044)"

    Relevant Pages

    • SecurityFocus Microsoft Newsletter #176
      ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #155
      ... Does Microsoft Give a Damn? ... WideChapter HTTP Request Buffer Overflow Vulnerability ... MiniHTTPServer WebForums Server Default Password Vulnerabili... ... Microsoft Windows platforms. ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #122
      ... Spooked about Windows security? ... This event is fully supported by Microsoft. ... Blackboard Learning System search.pl SQL Injection Vulnerability ... Sambar Server results.stm Cross Site Scripting Vulnerability ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #83
      ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft IIS CodeBrws.ASP Source Code Disclosure Vulnerability ... Microsoft Internet Explorer History List Script Injection ... Microsoft Windows 2000 Lanman Denial of Service Vulnerability ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #49
      ... Subject: SecurityFocus Microsoft Newsletter #49 ... Microsoft Windows NNTP Denial of Service Vulnerability ... Microsoft IIS SSI Buffer Overrun Privelege Elevation Vulnerability ... Microsoft ISA Server H.323 Memory Leak Denial of Service... ...
      (Focus-Microsoft)