[VulnWatch] Microsoft PCHealth 2003/XP Buffer Overflow (#NISR15102003)

From: NGSSoftware Insight Security Research (nisr_at_nextgenss.com)
Date: 10/16/03

  • Next message: Cesar: "[VulnWatch] Microsoft Local Troubleshooter ActiveX control buffer overflow"
    To: <bugtraq@securityfocus.com>, <ntbugtraq@listserv.ntbugtraq.com>, <vulnwatch@vulnwatch.org>
    Date: Thu, 16 Oct 2003 12:21:12 +0100
    
    

    NGSSoftware Insight Security Research Advisory

    Name: Microsoft PCHealth Buffer Overflow Vulnerability
    Systems Affected: Windows 2003 and XP
    Severity: Critical Risk
    Vendor URL: http://www.microsoft.com/
    Author: David Litchfield [ david@ngssoftware.com ]

    Date Vendor Notified: 23rd July 2003
    Date of Public Advisory: 15th October 2003
    Advisory number: #NISR15102003
    Advisory URL: http://www.ngssoftware.com/advisories/ms-pchealth.txt

    Description
    ***********
    Microsoft Windows 2003 Server and Windows XP provide a support and
    troubleshooting facility called PCHealth. PCHealth provides users
    with information on how to deal with any problems they may
    experience. PCHealth contains search functionality allowing users
    to search using keywords. The Search engine runs as a system service
    and is vulnerable to an exploitable stack based buffer overflow
    condition.

    Details
    *******
    The PCHealth system can be launched in several different ways. It can be
    launched via an HTML document rendered in Internet Explorer or Outlook using
    the HCP protocol or via DCOM. This presents remote attackers with several
    vectors to launch an attack; however the latter requires administrative
    privileges already so is not a likely attack vector. It is listed for the
    sake of completeness. Local attackers can, of course, also exploit this
    vulnerability to gain control of the system. The vulnerability is a stack
    based buffer overflow triggered by an overly long query and exists in the
    Help Service (helpsvc.exe) which is started by svchost.exe. As the instance
    of svchost that runs the Help and Support service is also responsible for
    running other services that require SYSTEM privileges it is not possible
    to help mitigate the risk by setting a low privileged account to run
    this service. In the absence of a patch it is suggested that the Help and
    Support service be disabled until the patch can be applied.

    Notes on Windows 2003
    *********************
    Despite the stack protection built into Windows 2003 (through Visual C++
    .NET) this overflow can still be exploited. (Please read the following paper
    for more details -
    http://www.nextgenss.com/papers/defeating-w2k3-stack-protection.pdf )

    That said, by default, the security settings of Internet Explorer and
    Outlook Express on Windows 2003 mitigate the risk these systems are exposed
    to via the HTML vector. Local low privileged attackers can still exploit
    this to gain control but best practices dictate that only administrators
    should be allowed to log on to servers. Provided these precautions have been
    followed (or left in place) then the risk posed to Windows 2003 Servers is
    reduced somewhat. That said NGSS advises that the patch still be applied
    once proper testing of the patch has been done.

    Fix Information
    ***************

    Microsoft have supplied a patch for this problem that can be downloaded
    from:

    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
    bulletin/MS03-041.asp

    About NGSSoftware
    *****************
    NGSSoftware design, research and develop intelligent, advanced application
    security assessment scanners. Based in the United Kingdom, NGSSoftware have
    offices in the South of London and the East Coast of Scotland. NGSSoftware's
    sister company NGSConsulting, offers best of breed security consulting
    services, specialising in application, host and network security
    assessments.

    http://www.ngssoftware.com/

    Telephone +44 208 401 0070
    Fax +44 208 401 0076

    enquiries@ngssoftware.com


  • Next message: Cesar: "[VulnWatch] Microsoft Local Troubleshooter ActiveX control buffer overflow"

    Relevant Pages

    • Re: Will 839645 disable this?
      ... Check out the salary for Risk Analysis professionals. ... >> technology that is in those systems, still apply to Windows 2000. ... >> to install a security update in the offchance and likely remote ... Many security updates are NOT remote ...
      (microsoft.public.win2000.general)
    • Microsoft PCHealth 2003/XP Buffer Overflow (#NISR15102003)
      ... NGSSoftware Insight Security Research Advisory ... Microsoft PCHealth Buffer Overflow Vulnerability ... Systems Affected: Windows 2003 and XP ... Severity: Critical Risk ...
      (NT-Bugtraq)
    • where are you microsoft? why still no wifi activesync 4??
      ... with so much focus on the delays of windows vista... ... over activesync to regular pcs is "security" reasons. ... of a security risk here than a bunch of open TCP ports... ... microsoft seriously punish its users like this? ...
      (microsoft.public.pocketpc)
    • Microsoft PCHealth 2003/XP Buffer Overflow (#NISR15102003)
      ... NGSSoftware Insight Security Research Advisory ... Microsoft PCHealth Buffer Overflow Vulnerability ... Systems Affected: Windows 2003 and XP ... Severity: Critical Risk ...
      (Bugtraq)
    • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
      ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
      (Securiteam)