[NT] Multiple Vulnerabilities in Windows Kernel Allows Elevation of Privilege and DoS (MS05-018)

From: SecuriTeam (support_at_securiteam.com)
Date: 04/13/05

  • Next message: SecuriTeam: "[NT] Vulnerabilities in TCP/IP Allow Remote Code Execution and DoS (MS05-019)"
    To: list@securiteam.com
    Date: 13 Apr 2005 14:04:50 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Multiple Vulnerabilities in Windows Kernel Allows Elevation of Privilege
    and DoS (MS05-018)
    ------------------------------------------------------------------------

    SUMMARY

    Multiple vulnerabilities have been discovered in the Windows Kernel. The
    vulnerabilities are: a buffer overflow in the font processing component, a
    buffer overflow in the object management component and a privilege
    escalation vulnerability via CSRSS.

    DETAILS

    Vulnerable Systems:
     * Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000
    Service Pack 4
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=992C1BF9-A2C0-49D2-9059-A1DAD6703213> Download the update

     * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service
    Pack 2
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=F0683E2B-8E8F-474F-B8D8-46C4C33FCE99> Download the update

     * Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=B52F9281-570F-4F7A-8DEF-5AEAB6E8E002> Download the update

     * Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=C51D6AD5-93BA-4717-A5DB-5CE78F70592E> Download the update

     * Microsoft Windows Server 2003
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=E66332D4-3952-428F-AC62-AC8124F8942A> Download the update

     * Microsoft Windows Server 2003 for Itanium-based Systems
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=C51D6AD5-93BA-4717-A5DB-5CE78F70592E> Download the update

     * Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
    Microsoft Windows Millennium Edition (ME)

    Immune Systems:
     * Microsoft Windows Server 2003 Service Pack 1
     * Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
     * Microsoft Windows Server 2003 x64 Edition
     * Microsoft Windows XP Professional x64 Edition

    Font Vulnerability:
    Buffer overflow in the font processing component of Microsoft Windows
    allows local users to gain privileges via a specially-designed
    application.

    Mitigating Factors for Font Vulnerability:
     * An attacker must have valid logon credentials and be able to log on
    locally to exploit this vulnerability. The vulnerability could not be
    exploited remotely or by anonymous users.
     * Attempts to exploit this vulnerability on systems that are running
    Windows XP Service Pack 2 would most likely result in a denial of service
    condition.

    Status of Windows 98, Windows 98 Second Edition and Windows Millennium
    Edition:
    Although Windows 98, Windows 98 Second Edition, and Windows Millennium
    Edition contain the affected component, the vulnerability is not critical.

    Windows Kernel Vulnerability:
    The kernel of Microsoft Windows allows local users to gain privileges via
    certain access requests.
    This vulnerability could allow a logged on user to take complete control
    of the system.

    Mitigating Factors for Windows Kernel Vulnerability:
     * An attacker must have valid logon credentials and be able to log on
    locally to exploit this vulnerability. The vulnerability could not be
    exploited remotely or by anonymous users.

    Status of Windows 98, Windows 98 Second Edition and Windows Millennium
    Edition:
    This systems are not effected by this vulnerability.

    Object Management Vulnerability:
    Buffer overflow in Microsoft Windows allows local users to cause a denial
    of service via a malformed request, also known as "Object Management
    Vulnerability".
    An attacker who exploited this vulnerability could cause the affected
    system to stop responding and automatically restart.

    Mitigating Factors for Object Management Vulnerability:
     * An attacker must have valid logon credentials and be able to log on
    locally to exploit this vulnerability. The vulnerability could not be
    exploited remotely or by anonymous users.
     * An attacker can cause the local system to stop responding. However,
    this vulnerability does not allow an attacker to execute code.

    Status of Windows 98, Windows 98 Second Edition and Windows Millennium
    Edition:
    Although Windows 98, Windows 98 Second Edition, and Windows Millennium
    Edition contain the affected component, the vulnerability is not critical.

    CSRSS Vulnerability:
    CSRSS is the user-mode part of the Win32 subsystem. Win32.sys is the
    kernel-mode portion of the Win32 subsystem. The Win32 subsystem must be
    running at all times. CSRSS is responsible for console windows, for
    creating threads, for deleting threads, and for some parts of the 16-bit
    virtual MS-DOS environment. CSRSS services only those requests that other
    processes make on the same local computer.
    The Client Server Runtime System (CSRSS) process of Microsoft Windows
    allows local users to gain privileges via a specially-designed
    application.

    Mitigating Factors for CSRSS Vulnerability:
     * An attacker must have valid logon credentials and be able to log on
    locally to exploit this vulnerability. The vulnerability could not be
    exploited remotely or by anonymous users.
     * An attacker who successfully exploited this vulnerability could take
    complete control of an affected system, including installing programs;
    viewing, changing, or deleting data; or creating new accounts that have
    full privileges.

    Status of Windows 98, Windows 98 Second Edition and Windows Millennium
    Edition:
    This systems are not effected by this vulnerability.

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0060>
    CAN-2005-0060
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0061>
    CAN-2005-0061
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0550>
    CAN-2005-0550
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0551>
    CAN-2005-0551

    ADDITIONAL INFORMATION

    The original article can be found at:
    <http://www.microsoft.com/technet/security/Bulletin/MS05-018.mspx>
    http://www.microsoft.com/technet/security/Bulletin/MS05-018.mspx

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Vulnerabilities in TCP/IP Allow Remote Code Execution and DoS (MS05-019)"

    Relevant Pages

    • SecurityFocus Microsoft Newsletter #228
      ... RaidenHTTPD Remote File Disclosure Vulnerability ... Microsoft Outlook Web Access Login Form Remote URI Redirecti... ... Microsoft Windows Hyperlink Object Library Buffer Overflow V... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #124
      ... Bladeenc Signed Integer Memory Corruption Vulnerability ... Opera JavaScript Console Attribute Injection Vulnerability ... Microsoft Windows 2000 NetBIOS Continuation Packets Kernel... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #138
      ... Nessus LibNASL Arbitrary Code Execution Vulnerability ... Blackmoon FTP Server Username Information Disclosure... ... Microsoft Windows Media Player Automatic File Download and... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #163
      ... MICROSOFT VULNERABILITY SUMMARY ... Bugzilla Javascript Buglists Remote Information Disclosure V... ... Microsoft Internet Explorer DHTML Drag and Drop Local File S... ... Microsoft Windows Workstation Service Remote Buffer Overflow... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #176
      ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
      (Focus-Microsoft)