[NT] Vulnerability in Windows Allows Information Disclosure (MS05-007)

From: SecuriTeam (support_at_securiteam.com)
Date: 02/09/05

  • Next message: SecuriTeam: "[NT] Vulnerability in Windows Shell Allows Remote Code Execution (MS05-008)" 
    To: list@securiteam.com
Date: 9 Feb 2005 18:24:27 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Vulnerability in Windows Allows Information Disclosure (MS05-007)
    ------------------------------------------------------------------------

    SUMMARY

    This is an information disclosure vulnerability. An attacker who
    successfully exploited this vulnerability could remotely read the user
    names for users who have an open connection to an available shared
    resource.

    DETAILS

    Affected Software:
    Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack
    2 -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=B8C867C2-B7CD-4E2F-90E0-169B2C7125DC> Download the update
    Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=2F68945E-EEB8-42BC-A8AD-0D3991204889> Download the update

    Non-Affected Software:
    Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service
    Pack 4
    Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
    Microsoft Windows Server 2003
    Microsoft Windows Server 2003 for Itanium-based Systems
    Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
    Microsoft Windows Millennium Edition (ME)

    CVE Information:
    Named Pipe Vulnerability -
    <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0051>
    CAN-2005-0051

    Mitigating Factors:
     * Firewall best practices and standard default firewall configurations
    can help protect networks from attacks that originate outside the
    enterprise perimeter. Best practices recommend that systems that are
    connected to the Internet have a minimal number of ports exposed.
     * Stopping or disabling the Computer Browser service and then restarting
    the affected system mitigates this vulnerability. The information
    disclosure does not happen if this service is stopped or disabled. By
    default, the Computer Browser service is not running on Windows XP Service
    Pack 2. Windows XP Service Pack 2 systems that are members of a domain
    have the Computer Browser disabled. By default, on Windows XP Service Pack
    2 systems, that are not members of a domain, the Windows Firewall is
    enabled and the Computer Browser does not start. If the Windows Firewall
    is disabled or if File and Printer sharing is enabled, the Computer
    Browser service will start successfully and the system could be vulnerable
    to this issue.

    Workarounds:
    Microsoft has tested the following workarounds. While these workarounds
    will not correct the underlying vulnerability, they help block known
    attack vectors. When a workaround reduces functionality, it is identified
    in the following section.
     * Disable the Computer Browser service
    Disabling the Computer Browser service and restarting the affected system
    will help protect from remote attempts to exploit this vulnerability.
    You can disable the Computer Browser service by following these steps:
    1.Click Start, and then click Control Panel (or point to Settings, and
    then click Control Panel).
    2.Double-click Administrative Tools.
    3.Double-click Services.
    4.Double-click Computer Browser Service.
    5.In the Startup type list, click Disabled.
    6.Click Stop, and then click OK.
    7.You must restart the affected system for this workaround to correction
    function.
    Impact of Workaround: If the Computer Browser service is disabled, any
    services that explicitly depend on the Computer Browser service may log an
    error message in the system event log. For more information about the
    Computer Browser service, see <http://support.microsoft.com/kb/188001>
    Microsoft Knowledge Base Article 188001.

     * Use the Group Policy settings to disable Computer Browser service on
    all affected systems that do not require this feature.
    Because the Computer Browser service is a possible attack vector, disable
    it by using the Group Policy settings. You can disable the startup of this
    service at the local, site, domain, or organizational unit level by using
    Group Policy object functionality in Windows 2000 domain environments or
    in Windows Server 2003 domain environments. For more information about how
    to disable this service through login scripts, see
    <http://support.microsoft.com/kb/297789> Microsoft Knowledge Base Article
    297789
    Note You may also review the Windows 2000 Security Hardening Guide. This
    guide includes information about how to disable services.
    For more information about Group Policy, visit the following Web sites:
     
    <http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/gpfeat.mspx> Step-by-Step Guide to Understanding the Group Policy Feature Set
     
    <http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolwp.asp> Windows 2000 Group Policy
     
    <http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/gp/default.mspx> Group Policy in Windows Server 2003

    Impact of Workaround: If the Computer Browser service is disabled, any
    services that explicitly depend on the Computer Browser service may log an
    error message in the system event log. For more information about the
    Computer Browser service, see Microsoft Knowledge Base Article 188001.

     * Block TCP ports 139 and 445 at the firewall:
    These ports are used to initiate a connection with the affected protocol.
    Blocking them at the firewall will help protect systems that are behind
    that firewall from attempts to exploit this vulnerability. We recommend
    that you block all unsolicited inbound communication from the Internet to
    help prevent attacks that may use other ports. For more information about
    the ports, visit the following
    <http://go.microsoft.com/fwlink/?LinkId=21312> Web site.

     * Use a personal firewall, such as the Internet Connection Firewall,
    which is included with Windows XP and do not enable "File and Printer
    Sharing for Microsoft Networks".

    By default, the Internet Connection Firewall feature in Windows XP helps
    protect your Internet connection by blocking unsolicited incoming traffic.
    We recommend that you block all unsolicited incoming communication from
    the Internet. If you have enabled File and Printer Sharing for Microsoft
    Networks this option will create an exception to allow communication on
    the affected ports and would still allow a system to be vulnerable to this
    issue even with the Internet Connection Firewall enabled. The File and
    Printer Sharing for Microsoft Networks exception should be removed to
    help protect against this vulnerability.
    To enable the Internet Connection Firewall feature by using the Network
    Setup Wizard, follow these steps:
    1.Click Start, and then click Control Panel.
    2.In the default Category View, click Network and Internet Connections,
    and then click Setup or change your home or small office network. The
    Internet Connection Firewall feature is enabled when you select a
    configuration in the Network Setup Wizard that indicates that your system
    is connected directly to the Internet.
    To configure Internet Connection Firewall manually for a connection,
    follow these steps:
    1. Click Start, and then click Control Panel.
    2. In the default Category View, click Networking and Internet
    Connections, and then click Network Connections.
    3. Right-click the connection on which you want to enable Internet
    Connection Firewall, and then click Properties.
    4. Click to deselect File and Printer Sharing for Microsoft Networks .
    5. Click the Advanced tab.
    6. Click to select the Protect my computer or network by limiting or
    preventing access to this computer from the Internet check box, and then
    click OK.
    Note If you want to enable certain programs and services to communicate
    through the firewall, click Settings on the Advanced tab, and then select
    the programs, the protocols, and the services that are required.

     * Enable advanced TCP/IP filtering on systems that support this feature.
    You can enable advanced TCP/IP filtering to block all unsolicited inbound
    traffic. For more information about how to configure TCP/IP filtering, see
     <http://support.microsoft.com/kb/309798> Microsoft Knowledge Base Article
    309798. While this documentation references Windows 2000, it also applies
    to Windows XP.

     * Block the affected ports by using IPSec on the affected systems.
    Use Internet Protocol security (IPSec) to help protect network
    communications. Detailed information about IPSec and about how to apply
    filters is available <http://support.microsoft.com/kb/313190> in
    Microsoft Knowledge Base Article 313190 and
    <http://support.microsoft.com/kb/813878> Microsoft Knowledge Base Article
    813878. While this documentation references Windows 2000, it also applies
    to Windows XP.

    Frequently Asked Questions:
    What is the scope of the vulnerability?
    This is an information disclosure vulnerability. An attacker who
    successfully exploited this vulnerability could remotely read the user
    names of users who have an open connection to a shared resource. Note that
    this vulnerability would not allow an attacker to execute code or to
    elevate their user rights directly, but it could be used to produce useful
    information that could be used to try to further compromise the affected
    system.

    What causes the vulnerability?
    The process that is used by the affected software to validate
    authentication information when a client establishes an anonymous logon by
    using a named pipe connection.

    What is a named pipe?
    Named pipes can be used to provide communication between processes on the
    same computer or between processes on different computers across a
    network. Typical named pipe resources include file shares and print
    shares. For more information about named pipes, visit the following
    <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ipc/base/named_pipes.asp> MSDN Library Web site.

    How do I know if I use the Computer Browser service on my server?
    By default, the Computer Browser service is installed and running on
    Windows XP Service Pack 1. By default, the Computer Browser service is
    disabled on Windows XP Service Pack 2. You can determine if the Computer
    Browser service is installed by following this procedure.

    To verify the Computer Browser service:
    1. Click Start, click Programs, click Administrative Tools, and then click
    Services.
    2. Verify that the Computer Browser service is present.
    3. If the Computer Browser service is running, follow the instructions in
    the Workarounds section of this security bulletin to disable the
    service.

    What might an attacker use the vulnerability to do?
    An attacker who successfully exploited this vulnerability could remotely
    read the user names for users who have an open connection to an available
    shared resource.

    Who could exploit the vulnerability?
    Any anonymous user who could deliver a specially crafted request to the
    affected system could try to exploit this vulnerability.

    What systems are primarily at risk from the vulnerability?
    Windows XP is primarily at risk from this vulnerability. Other operating
    system versions perform additional validation on the communication
    request. This additional validation allows them to be able to successfully
    prevent anonymous connections. To perform this additional validation, they
    use registry settings such as RestrictAnonymous. This vulnerability allows
    communication with anonymous users on Windows XP even if the
    RestrictAnonymous registry setting is enabled. After you install the
    security update, the RestrictAnonymous registry setting on Windows XP will
    successfully block this kind of anonymous communication request. For more
    information about RestrictAnonymous, visit the following
    <http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/46688.asp> Microsoft Web site.

    Could the vulnerability be exploited over the Internet?
    Yes. An attacker could try to exploit this vulnerability over the
    Internet. Firewall best practices and standard default firewall
    configurations can help protect against attacks that originate from the
    Internet. Microsoft has provided information about how you can help
    protect your PC. End users can visit the
    <http://go.microsoft.com/fwlink/?LinkId=21169> Protect Your PC Web site.
    IT professionals can visit the
    <http://go.microsoft.com/fwlink/?LinkId=21171> Security Guidance Center
    Web site.

    What does the update do?
    The update removes the vulnerability by modifying the way that the process
    that is used by the affected software validates authentication
    information.

    When this security bulletin was issued, had this vulnerability been
    publicly disclosed?
    No. Microsoft received information about this vulnerability through
    responsible disclosure. Microsoft had not received any information to
    indicate that this vulnerability had been publicly disclosed when this
    security bulletin was originally issued.

    When this security bulletin was issued, had Microsoft received any reports
    that this vulnerability was being exploited?
    No. Microsoft had not received any information to indicate that this
    vulnerability had been publicly used to attack customers and had not seen
    any examples of proof of concept code published when this security
    bulletin was originally issued.

    ADDITIONAL INFORMATION

    The original article can be found at:
    <http://www.microsoft.com/technet/security/bulletin/MS05-007.mspx>
    http://www.microsoft.com/technet/security/bulletin/MS05-007.mspx

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Vulnerability in Windows Shell Allows Remote Code Execution (MS05-008)"

    Relevant Pages