Vulnerability Note VU#567620

Microsoft Windows Workstation service vulnerable to buffer overflow when sent specially crafted network message

Original Release date: 11 Nov 2003 | Last revised: 12 Nov 2003

Overview

A remotely exploitable vulnerability affects Microsoft Windows Systems. Exploitation of this vulnerability could permit the execution of arbitrary code on the system with elevated privileges. The exploit vector for this vulnerability is highly conducive to a worm or other automated exploit.

Description

A buffer overflow vulnerability exists in the Microsoft Workstation service. A remote attacker that can send a specially-crafted network message to the vulnerable system could exploit this vulnerability to execute arbitrary code with system privileges.

According to the Microsoft Bulletin, MS03-049, the following systems are affected:

  • Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4
  • Microsoft Windows XP, Microsoft Windows XP Service Pack 1
  • Microsoft Windows XP 64-Bit Edition

According to the Microsoft Bulletin, MS03-049, the following systems are NOT affected:
  • Microsoft Windows NT Workstation 4.0, Service Pack 6a
  • Microsoft Windows NT Server 4.0, Service Pack 6a
  • Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6
  • Microsoft Windows Millennium Edition
  • Microsoft Windows XP 64-Bit Edition Version 2003
  • Microsoft Windows Server 2003
  • Microsoft Windows Server 2003 64-Bit Edition

Note that a proof of concept exploit has been posted publicly.

Impact

Exploitation of this vulnerability could permit the execution of arbitrary code on the system with elevated privileges. The exploit vector for this vulnerability is highly conducive to a worm or other automated exploit.

Solution

Apply the appropriate update for your system:


As a note in the Microsoft Advisory:
    Note: The Windows XP security updates that released on October 15th as part of Security Bulletin MS03-043 (828035) include the updated file that helps protect from this vulnerability. If you have applied the Windows XP security updates for MS03-043 (828035) you do not have to reapply this update. However, the Windows 2000 security update that is released as part of this security bulletin contains updated files that were not part of the MS03-043 (828035) security bulletin. Customers have to apply this Windows 2000 security update even if they applied the Windows 2000 security updates for MS03-043 (828035).

Note the following mitigation strategies from Microsoft's Advisory:

  • If users have blocked inbound UDP ports 138, 139, 445 and TCP ports 138, 139, 445 by using a firewall an attacker would be prevented from sending messages to the Workstation service. Most firewalls, including Internet Connection Firewall in Windows XP, block these ports by default.
  • Disabling the Workstation service will prevent the possibility of attack. However there are a number of impacts when performing this workaround. Please see the Workaround section for more details.
  • Only Windows 2000 and Window XP are affected. Other operating systems are not vulnerable to this attack.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected-11 Nov 2003
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This issue was reported by eEye Digital Security and published in the monthly Microsoft Security Bulletin.

This document was written by Jason A Rafail.

Other Information

  • CVE IDs: CAN-2003-0812
  • CERT Advisory: CA-2003-28
  • Date Public: 11 Nov 2003
  • Date First Published: 11 Nov 2003
  • Date Last Updated: 12 Nov 2003
  • Severity Metric: 45.56
  • Document Revision: 15

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.