[NT] Vulnerability in Message Queuing Allows Code Execution (MS05-017)

• Previous message: SecuriTeam: "[EXPL] Internet Explorer DHTML Arbitrary Code Execution (MS05-020)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 13 Apr 2005 14:06:53 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Vulnerability in Message Queuing Allows Code Execution (MS05-017)
------------------------------------------------------------------------

SUMMARY

"Microsoft Message Queuing technology enables applications that are
running at different times to communicate across heterogeneous networks
and across systems that may be temporarily offline. Applications send
messages to queues and read messages from queues. Message Queuing provides
guaranteed message delivery, efficient routing, security, and
priority-based messaging. It can be used to implement solutions for both
asynchronous and synchronous messaging scenarios."

A remote code execution vulnerability exists in the Message Queuing
component. By default, the Message Queuing component is not installed on
any affected operating system version. Only customers who manually
installed the Message Queuing component could be vulnerable to this issue.

DETAILS

Vulnerable Systems:
 * Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000
Service Pack 4. (
<http://www.microsoft.com/downloads/details.aspx?FamilyId=99A8EE12-4BD6-43F5-A43F-124E0E2C2283> Download the update)

 * Microsoft Windows XP Service Pack 1. (
<http://www.microsoft.com/downloads/details.aspx?FamilyId=D72B7198-93A8-4652-B505-8E51FC5EEAC3> Download the update)

 * Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium). (
<http://www.microsoft.com/downloads/details.aspx?FamilyId=9124BA48-73A8-4C94-AA46-CE9A9D1E1198> Download the update)

 * Microsoft Windows 98 and Microsoft Windows 98 Second Edition (SE).

Immune Systems:
 * Microsoft Windows XP Service Pack 2.
 * Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium).
 * Microsoft Windows Server 2003 and Windows Server 2003 Service Pack 1.
 * Microsoft Windows Server 2003 for Itanium-based Systems.
 * Microsoft Windows Millennium Edition (ME).

Mitigating Factors for Message Queuing Vulnerability:
 * By default, the Message Queuing component is not installed on any
affected operating system version. Only customers who manually install the
Message Queuing component are likely to be vulnerable to this issue.

 * Message Queuing installations that expose only MSMQ HTTP Message
Delivery to the Internet are not vulnerable.

 * For customers that require the affected component, firewall best
practices and standard default firewall configurations can help protect
networks from attacks that originate outside the enterprise perimeter.
Best practices recommend that systems that are connected to the Internet
have a minimal number of ports exposed.

Workarounds for Message Queuing Vulnerability:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.

Block the following at the firewall.
 * UDP ports 135, 137, 138, 445, 1801, and 3527, and TCP ports 135, 139,
445, 593, 1801, 2101, 2103, 2105, and 2107.

 * All unsolicited inbound traffic on ports greater than 1024.

 * Any other specifically configured RPC port.

These ports are used to initiate a connection with RPC. Blocking them at
the firewall will help protect systems that are behind that firewall from
attempts to exploit this vulnerability. Also, make sure that you block any
other specifically configured RPC port on the remote system. We recommend
that you block all unsolicited inbound communication from the Internet to
help prevent attacks that may use other ports. For more information about
ports that RPC uses, visit the following
<http://go.microsoft.com/fwlink/?LinkId=21312> Web site.

Remove Message Queuing if you do not need it.
If you no longer need Message Queuing, remove it. To do this, follow these
steps. These steps apply only to Windows XP Service Pack 1. For Windows
2000, follow the procedure that is included in the product documentation.

Note Special permissions may be required to remove Message Queuing. For
more information, see the following
<http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windows2000/en/advanced/help/sag_MSMQnode_install.htm> Message Queuing documentation.

1. Click, Start, and then click Control Panel.
2. Double-click, Add or Remove Programs.
3. In the default Category View, click Add or Remove Programs.
4. Click Add/Remove Windows Components.
5. On the Windows Components Wizard page, under Components, click to clear
the Message Queuing check box to remove Message Queuing, and then click
Next.
6. Complete the Windows Components Wizard by following the instructions on
the screen.

Impact of Workaround: Many organizations require Message Queuing to
perform important functions. Administrators should not remove Message
Queuing unless they fully understand the effect that doing this will have
on their environment. For more information about Message Queuing, see the
<http://www.microsoft.com/windows2000/technologies/communications/msmq/default.asp> Message Queuing product documentation.

FAQ for Message Queuing Vulnerability:
Q. What is the scope of the vulnerability?
A. This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system. An attacker could then install programs;
view, change, or delete data; or create new accounts with full user
rights.

Q. What causes the vulnerability?
A. An unchecked buffer in the Message Queuing component.

Q. What is Message Queuing?
A. Microsoft Message Queuing technology enables applications that are
running at different times to communicate across heterogeneous networks
and across systems that may be temporarily offline. Applications send
messages to queues and read messages from queues. Message Queuing provides
guaranteed message delivery, efficient routing, security, and
priority-based messaging. It can be used to implement solutions for both
asynchronous and synchronous messaging scenarios. For more information
about Message Queuing, see the
<http://www.microsoft.com/windows2000/technologies/communications/msmq/default.asp> Message Queuing product documentation.

Q. What Microsoft applications use Message Queuing?
A. Message Queuing must be installed before you can install BizTalk Server
2000 or BizTalk Server 2002. Message Queuing is an optional component that
can be used by BizTalk Server 2004. Other Microsoft applications and
third-party applications may also use Message Queuing.

Q. What might an attacker use the vulnerability to do?
A. An attacker who successfully exploited this vulnerability could take
complete control of the affected system.

Q. Who could exploit the vulnerability?
A. Any anonymous user who could deliver a specially crafted message to the
affected system could try to exploit this vulnerability.

Q. How could an attacker exploit the vulnerability?
A. An attacker could try to exploit the vulnerability by creating a
specially crafted message and sending the message to an affected system.
The message could then cause the affected system to execute code.

Q. What systems are primarily at risk from the vulnerability?
A. All systems that have Message Queuing installed are at risk from this
vulnerability. By default, the Message Queuing component is not installed
on any affected operating system version. Only customers who manually
install the Message Queuing component are likely to be vulnerable to this
issue.

Q. Could the vulnerability be exploited over the Internet?
A. Yes. An attacker could try to exploit this vulnerability over the
Internet by using RPC ports. Most Message Queuing deployments that are
available through the Internet use the MSMQ HTTP Message Delivery
component which is not vulnerable to this issue. Firewall best practices
and standard default firewall configurations can help protect against
attacks that originate from the Internet that use RPC.

Q. What does the update do?
A. The update removes the vulnerability by modifying the way that Message
Queuing validates the length of a message before it passes the message to
the allocated buffer.

Q. When this security bulletin was issued, had this vulnerability been
publicly disclosed?
A. No. Microsoft received information about this vulnerability through
responsible disclosure. Microsoft had not received any information to
indicate that this vulnerability had been publicly disclosed when this
security bulletin was originally issued.

Q. When this security bulletin was issued, had Microsoft received any
reports that this vulnerability was being exploited?
A. No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0059>
CAN-2005-0059

ADDITIONAL INFORMATION

The original article can be found at: <Microsoft Security Bulletin
MS05-017> Microsoft Security Bulletin MS05-017
For more information about Message Queuing, see the
<http://www.microsoft.com/windows2000/technologies/communications/msmq/default.asp> Message Queuing product documentation.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[EXPL] Internet Explorer DHTML Arbitrary Code Execution (MS05-020)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]