[NT] Vulnerability in WINS Allows Remote Code Execution (MS04-045, Name Validation, Association Context)
From: SecuriTeam (support_at_securiteam.com)
Date: 12/15/04
- Previous message: SecuriTeam: "[NT] Vulnerability in DHCP Allows Remote Code Execution and DoS (MS04-042, Logging, Request)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 15 Dec 2004 17:07:24 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Vulnerability in WINS Allows Remote Code Execution (MS04-045, Name
Validation, Association Context)
------------------------------------------------------------------------
SUMMARY
This update resolves several newly-discovered, public and privately
reported vulnerabilities. An attacker who successfully exploited the most
severe of these vulnerabilities could take complete control of an affected
system, including installing programs; viewing, changing, or deleting
data; or creating new accounts that have full privileges.
DETAILS
Affected Software:
* Microsoft Windows NT Server 4.0 Service Pack 6a -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=38E9DB8C-5C43-4E9A-9DC9-97C2686A45F1> Download the update
* Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
-
<http://www.microsoft.com/downloads/details.aspx?FamilyId=D7AB3F6F-26FE-4AE8-A07A-481D772D03A6> Download the update
* Microsoft Windows 2000 Server Service Pack 3 and Microsoft Windows 2000
Server Service Pack 4 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=40146B52-5546-489E-857E-01FE1EF709B2> Download the update
* Microsoft Windows Server 2003 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=10836F38-A38B-47D5-B87B-18D8E26EEFAA> Download the update
* Microsoft Windows Server 2003 64-Bit Edition -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=06CF9E85-C66D-4A7D-B2EB-99DE9423B60F> Download the update
Non-Affected Software:
* Microsoft Windows 2000 Professional Service Pack 3 and Microsoft
Windows 2000 Professional Service Pack 4
* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service
Pack 2
* Microsoft Windows XP 64-Bit Edition Service Pack 1
* Microsoft Windows XP 64-Bit Edition Version 2003
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME)
Name Validation Vulnerability:
A remote code execution vulnerability exists in WINS because of the way
that it handles computer name validation. An attacker could exploit the
vulnerability by constructing a malicious network packet that could
potentially allow remote code execution on an affected system. An attacker
who successfully exploited this vulnerability could take complete control
of an affected system.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0567>
CAN-2004-0567
Mitigating Factors for Name Validation Vulnerability:
* Firewall best practices and standard default firewall configurations
can help protect networks from attacks that originate outside the
enterprise perimeter. Best practices recommend that systems that are
connected to the Internet have a minimal number of ports exposed.
* By default, WINS is not installed on Windows NT Server 4.0, on Windows
NT Server 4.0 Terminal Server Edition, on Windows 2000 Server, or on
Windows Server 2003. By default, WINS is installed and running on
Microsoft Small Business Server 2000 and on Microsoft Windows Small
Business Server 2003.
* However, by default, on all versions of Microsoft Small Business
Server, the WINS component communication ports are blocked from the
Internet and WINS is available only on the local network.
* On Windows Server 2003, attempts to exploit this vulnerability would
most likely result in a denial of service. The WINS service automatically
restarts if it fails. After the third automatic restart, WINS requires a
manual restart to restore functionality.
Workarounds for Name Validation Vulnerability:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
below.
* Block TCP port 42 and UDP port 42 at your firewall.
These ports are used to initiate a connection with a remote WINS server.
Blocking these ports at the firewall will help prevent systems that are
behind that firewall from being attacked by attempts to exploit this
vulnerability. It is possible that other ports may be found that could be
used to exploit this vulnerability. The ports that are listed are the most
common attack vectors. We recommend blocking all inbound unsolicited
communication from the Internet.
* Remove WINS if you do not need it.
In many organizations, WINS only provides services for legacy systems. If
WINS is no longer needed, you could remove it by following this procedure.
These steps apply only to Windows 2000 and later versions. For Windows NT
4.0, follow the procedure that is included in the product documentation.
To configure WINS components and services:
1. Click Start, and then click Control Panel, open Add or Remove Programs.
2. In the default Category View, click Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. On the Windows Components Wizard page, under Components, click
Networking Services, and then click Details.
5. Click to clear the Windows Internet Naming Service (WINS) check box to
remove WINS.
6. Complete the Windows Components Wizard by following the instructions on
the screen.
Impact of Workaround:
Many organizations require WINS to perform name registration and name
resolution functions on their network. Administrators should not remove
WINS unless they fully understand the affect that doing this will have on
their network. For more information about WINS, see the WINS product
documentation. Also, if an administrator is removing the WINS
functionality from a server that will continue to provide shared resources
on the network, the administrator must correctly reconfigure the system to
use the remaining name resolution services within the local network. For
more information about WINS visit the following Microsoft Web site. For
more information about how to determine if you need NETBIOS or WINS name
resolution and DNS configuration, visit the following Microsoft Web site.
* On Windows 2000 Server and Windows Server 2003, use IPSec communication
to secure traffic between WINS server replication partners.
Use Internet Protocol Security (IPSec) to help protect network
communications. For detailed information about how to use IPSec to help
protect WINS from this issue, see Microsoft Knowledge Base Article 890710.
Detailed information about IPSec and how to apply filters is available in
Microsoft Knowledge Base Article 313190 and Microsoft Knowledge Base
Article 813878.
Impact of Workaround:
If you set up IPSec incorrectly, you may cause serious WINS replication
problems on your corporate network. For additional information about IPSec
security considerations, visit the following Microsoft Web site.
FAQ for Name Validation Vulnerability:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system, including installing programs; viewing,
changing, or deleting data; or creating new accounts that have full
privileges.
On Windows Server 2003, the most likely attack scenario is a denial of
service. An attacker who successfully exploited this vulnerability could
cause WINS to fail on Windows Server 2003. On Windows Server 2003, WINS
restarts automatically when it fails. After the third automatic restart,
WINS requires a manual restart to restore functionality. Restarting WINS
allows the service to function correctly. However, WINS could remain
vulnerable to another denial of service attack.
What causes the vulnerability?
An unchecked buffer in the method that WINS uses to validate the Name
value in a specially-crafted packet.
The possibility of a denial of service on Windows Server 2003 results from
the presence of a security feature that was used in the development of
Windows Server 2003. This security feature detects when an attempt is made
to exploit a stack-based buffer overrun and reduces the chance that it can
be easily exploited. This security feature can be forced to terminate the
service to prevent malicious code execution. On Windows Server 2003, when
an attempt is made to exploit the buffer overrun, the security feature
reacts and terminates the service. This results in a denial of service
condition of WINS. Because it is possible that methods may be found in the
future to bypass this security feature, which could then enable code
execution, customers should apply the update. For more information about
these security features, visit the following Web site.
What is the Windows Internet Naming Service?
The Windows Internet Naming Service (WINS) maps IP addresses to NetBIOS
computer names and vice versa. By using WINS servers, individuals can
search for resources by computer name instead of by IP address. The
benefits of WINS include the following:
* Reduces NetBIOS-based broadcast traffic on subnets by permitting
clients to query WINS servers to locate remote systems.
* Supports earlier Windows and NetBIOS-based clients on the network by
permitting them to browse lists for remote Windows domains without
requiring a local domain controller on each subnet.
* Supports Domain Name System (DNS)-based clients by enabling those
clients to locate NetBIOS resources when WINS lookup integration is
implemented.
For more information about WINS, see the WINS product documentation.
How do I know if I use WINS on my server?
By default, WINS is not installed on Windows NT Server 4.0, on Windows NT
Server 4.0 Terminal Server Edition, on Windows 2000 Server, or on Windows
Server 2003. By default, WINS is installed and running on Microsoft Small
Business Server 2000 and on Microsoft Windows Small Business Server 2003.
You can determine if WINS is installed by following this procedure. These
steps apply only to Windows 2000 and later versions. For Windows NT 4.0,
follow the procedure that is included in the product documentation.
To verify WINS components and services:
1. Click Start, and then click Control Panel, open Add or Remove Programs.
2. In the default Category View, click Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. On the Windows Components Wizard page, under Components, click
Networking Services, and then click Details.
5. The Windows Internet Naming Service (WINS) check box indicates if WINS
is installed.
6. Click cancel several times to exit Add/Remove Windows Components.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system. The vulnerability, if exploited,
could allow an attacker to cause WINS on Windows Server 2003 to stop
responding to all requests.
Who could exploit the vulnerability?
Any anonymous user who could deliver a specially-crafted message to WINS
on an affected server could attempt to exploit this vulnerability. Any
user who could establish a connection with an affected system by using the
affected ports could attempt to exploit this vulnerability.
How could an attacker exploit this vulnerability?
An attacker could attempt to exploit this vulnerability by creating a
specially-crafted network message and by sending the message to the
affected system. On Windows Server 2003, receipt of such a message could
cause the service to fail causing a denial of service.
What systems are primarily at risk from the vulnerability?
Only Windows systems that have been configured as WINS servers are
vulnerable. Windows 2000 Professional and Windows XP cannot be configured
as WINS servers. Therefore, these operating systems are not affected by
this vulnerability.
Could the vulnerability be exploited over the Internet?
Yes. An attacker could attempt to exploit this vulnerability over the
Internet. Firewall best practices and standard default firewall
configurations can help protect against attacks that originate from the
Internet. Microsoft has provided information about how you can help
protect your PC. IT Professionals can visit the Security Guidance Center
Web site.
What does the update do?
The update eliminates the vulnerability by changing the method that WINS
uses to validate the name value before it passes the value to the
allocated buffer.
When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure. Microsoft had not received any information
indicating that this vulnerability had been publicly disclosed when this
security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information indicating that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.
How does this vulnerability relate to the WINS Vulnerability that is
corrected by MS04-006?
Both vulnerabilities were in WINS. However, this update addresses a new
vulnerability that was not addressed as part of MS04-006. MS04-006 helps
protect against the vulnerability that is discussed in that bulletin, but
does not address this new vulnerability. This update replaces MS04-006.
You may install this update to help protect your system against both
vulnerabilities.
Association Context Vulnerability:
A remote code execution vulnerability exists in WINS because of the way
that it handles association context validation. An attacker could exploit
the vulnerability by constructing a malicious network packet that could
potentially allow remote code execution on an affected system. An attacker
who successfully exploited this vulnerability could take complete control
of an affected system. However, attempts to exploit this vulnerability
would most likely result in a denial of service on Windows Server 2003.
The service would have to be restarted to restore functionality.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1080>
CAN-2004-1080
Mitigating Factors for Association Context Vulnerability:
Firewall best practices and standard default firewall configurations can
help protect networks from attacks that originate outside the enterprise
perimeter. Best practices recommend that systems that are connected to the
Internet have a minimal number of ports exposed.
* By default, WINS is not installed on Windows NT Server 4.0, on Windows
NT Server 4.0 Terminal Server Edition, on Windows 2000 Server, or on
Windows Server 2003. By default, WINS is installed and running on
Microsoft Small Business Server 2000 and on Microsoft Windows Small
Business Server 2003.
However, by default, on all versions of Microsoft Small Business Server,
the WINS component communication ports are blocked from the Internet and
WINS is available only on the local network.
* On all affected operating systems, attempts to exploit this
vulnerability would most likely result in a denial of service. On Windows
Server 2003, the WINS service automatically restarts if it fails. After
the third automatic restart, WINS requires a manual restart to restore
functionality.
Workarounds for Association Context Vulnerability:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
below.
* Block TCP port 42 and UDP port 42 at your firewall.
These ports are used to initiate a connection with a remote WINS server.
Blocking these ports at the firewall will help prevent systems that are
behind that firewall from being attacked by attempts to exploit this
vulnerability. It is possible that other ports may be found that could be
used to exploit this vulnerability. The ports that are listed are the most
common attack vectors. We recommend blocking all inbound unsolicited
communication from the Internet.
* Remove WINS if you do not need it.
In many organizations, WINS only provides services for legacy systems. If
WINS is no longer needed, you could remove it by following this procedure.
These steps apply only to Windows 2000 and later versions. For Windows NT
4.0, follow the procedure that is included in the product documentation.
To configure WINS components and services:
1. Click Start, and then click Control Panel, open Add or Remove Programs.
2. In the default Category View, click Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. On the Windows Components Wizard page, under Components, click
Networking Services, and then click Details.
5. Click to clear the Windows Internet Naming Service (WINS) check box to
remove WINS.
6. Complete the Windows Components Wizard by following the instructions on
the screen.
Impact of Workaround:
Many organizations require WINS to perform name registration and name
resolution functions on their network. Administrators should not remove
WINS unless they fully understand the affect that doing this will have on
their network. For more information about WINS, see the WINS product
documentation. Also, if an administrator is removing the WINS
functionality from a server that will continue to provide shared resources
on the network, the administrator must correctly reconfigure the system to
use the remaining name resolution services within the local network. For
more information about WINS visit the following Microsoft Web site. For
more information about how to determine if you need NETBIOS or WINS name
resolution and DNS configuration, visit the following Microsoft Web site.
* On Windows 2000 Server and Windows Server 2003, use IPSec communication
to secure traffic between WINS server replication partners.
Use Internet Protocol Security (IPSec) to help protect network
communications. For detailed information about how to use IPSec to help
protect WINS from this issue, see HYPERLINK
"http://support.microsoft.com/kb/890710"Microsoft Knowledge Base Article
890710.
Detailed information about IPSec and how to apply filters is available in
Microsoft Knowledge Base Article 313190 and Microsoft Knowledge Base
Article 813878.
Impact of Workaround:
If you set up IPSec incorrectly, you may cause serious WINS replication
problems on your corporate network. For additional information about IPSec
security considerations, visit the following Microsoft Web site.
FAQ for Association Context Vulnerability:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system, including installing programs; viewing,
changing, or deleting data; or creating new accounts that have full
privileges. On Windows Server 2003, the most likely attack scenario is a
denial of service. On Windows Server 2003 WINS restarts automatically when
it fails. After the third automatic restart, WINS requires a manual
restart to restore functionality. Restarting WINS allows the service to
function correctly. However, WINS would remain vulnerable to another
denial of service attack.
What causes the vulnerability?
The method used by WINS to validate association context data.
What is the Windows Internet Naming Service?
The Windows Internet Naming Service (WINS) maps IP addresses to NetBIOS
computer names and vice versa. By using WINS servers, individuals can
search for resources by computer name instead of by IP address. The
benefits of WINS include the following:
* Reduces NetBIOS-based broadcast traffic on subnets by permitting
clients to query WINS servers to locate remote systems.
* Supports earlier Windows and NetBIOS-based clients on the network by
permitting them to browse lists for remote Windows domains without
requiring a local domain controller on each subnet.
* Supports Domain Name System (DNS)-based clients by enabling those
clients to locate NetBIOS resources when WINS lookup integration is
implemented.
For more information about WINS, see the WINS product documentation.
How do I know if I use WINS on my server?
By default, WINS is not installed on Windows NT Server 4.0, on Windows NT
Server 4.0 Terminal Server Edition, on Windows 2000 Server, or on Windows
Server 2003. By default, WINS is installed and running on Microsoft Small
Business Server 2000 and on Microsoft Windows Small Business Server 2003.
You can determine if WINS is installed by following this procedure. These
steps apply only to Windows 2000 and later versions. For Windows NT 4.0,
follow the procedure that is included in the product documentation.
To verify WINS components and services:
1. Click Start, and then click Control Panel, open Add or Remove Programs.
2. In the default Category View, click Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. On the Windows Components Wizard page, under Components, click
Networking Services, and then click Details.
5. The Windows Internet Naming Service (WINS) check box indicates if WINS
is installed.
6. Click cancel several times to exit Add/Remove Windows Components.
What is the association context?
The association context is a data structure that WINS maintains to store
connection information about WINS replication partners.
What is wrong with the way that WINS validates the association context?
It is possible for an attacker to send a specially-crafted packet that has
invalid association context data. WINS uses this data without completely
validating it. This leads to a condition that most likely results in the
WINS service failing.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system. However, the most likely result
could allow an attacker to cause WINS to stop responding to all requests
on Windows Server 2003.
Who could exploit the vulnerability?
Any anonymous user who could deliver a specially-crafted message to WINS
on an affected server could attempt to exploit this vulnerability. Any
user who could establish a connection with an affected system by using the
affected ports could attempt to exploit this vulnerability.
How could an attacker exploit this vulnerability?
An attacker could attempt to exploit this vulnerability by creating a
specially-crafted network message and by sending the message to the
affected system. Receipt of such a message could cause the service, most
likely, to fail causing a denial of service.
What systems are primarily at risk from the vulnerability?
Only Windows systems that have been configured as WINS servers are
vulnerable. Windows 2000 Professional and Windows XP cannot be configured
as WINS servers. Therefore, these operating systems are not affected by
this vulnerability.
Could the vulnerability be exploited over the Internet?
Yes. An attacker could attempt to exploit this vulnerability over the
Internet. Firewall best practices and standard default firewall
configurations can help protect against attacks that originate from the
Internet. Microsoft has provided information about how you can help
protect your PC. IT Professionals can visit the Security Guidance Center
Web site.
What does the update do?
The update eliminates the vulnerability by changing the method that WINS
uses to validate the association context before use.
When this security bulletin was issued, had this vulnerability been
publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned
Common Vulnerability and Exposure number CAN-2004-1080. However, Microsoft
also received information about this vulnerability through responsible
disclosure and that researcher has received acknowledgment in this
security bulletin.
When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had seen examples of proof of concept code published
publicly but had not received any information to indicate that this
vulnerability had been publicly used to attack customers when this
security bulletin was originally issued.
Does applying this security update help protect customers from the code
that has been published publicly that attempts to exploit this
vulnerability?
Yes. This security update addresses the vulnerability that is currently
being exploited. The vulnerability that has been addressed has been
assigned the Common Vulnerability and Exposure number CAN-2004-1080.
How does this vulnerability relate to the WINS Vulnerability that is
corrected by MS04-006?
Both vulnerabilities were in WINS. However, this update addresses a new
vulnerability that was not addressed as part of MS04-006. MS04-006 helps
protect against the vulnerability that is discussed in that bulletin, but
does not address this new vulnerability. This update replaces MS04-006.
You may install this update to help protect your system against both
vulnerabilities.
ADDITIONAL INFORMATION
The information has been provided by Microsoft Product Security.
The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/MS04-045.mspx>
http://www.microsoft.com/technet/security/bulletin/MS04-045.mspx
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Vulnerability in DHCP Allows Remote Code Execution and DoS (MS04-042, Logging, Request)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
