|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
 |
Vulnerability Note VU#567620
Microsoft Windows Workstation service vulnerable to buffer overflow when sent specially crafted network message
OverviewA remotely exploitable vulnerability affects Microsoft Windows Systems. Exploitation of this vulnerability could permit the execution of arbitrary code on the system with elevated privileges. The exploit vector for this vulnerability is highly conducive to a worm or other automated exploit.
I. DescriptionA buffer overflow vulnerability exists in the Microsoft Workstation service. A remote attacker that can send a specially-crafted network message to the vulnerable system could exploit this vulnerability to execute arbitrary code with system privileges.
According to the Microsoft Bulletin, MS03-049, the following systems are affected:
- Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4
- Microsoft Windows XP, Microsoft Windows XP Service Pack 1
- Microsoft Windows XP 64-Bit Edition
According to the Microsoft Bulletin, MS03-049, the following systems are NOT affected:
- Microsoft Windows NT Workstation 4.0, Service Pack 6a
- Microsoft Windows NT Server 4.0, Service Pack 6a
- Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6
- Microsoft Windows Millennium Edition
- Microsoft Windows XP 64-Bit Edition Version 2003
- Microsoft Windows Server 2003
- Microsoft Windows Server 2003 64-Bit Edition
Note that a proof of concept exploit has been posted publicly.
II. ImpactExploitation of this vulnerability could permit the execution of arbitrary code on the system with elevated privileges. The exploit vector for this vulnerability is highly conducive to a worm or other automated exploit.
III. SolutionApply the appropriate update for your system:
As a note in the Microsoft Advisory:
Note: The Windows XP security updates that released on October 15th as part of Security Bulletin MS03-043 (828035) include the updated file that helps protect from this vulnerability. If you have applied the Windows XP security updates for MS03-043 (828035) you do not have to reapply this update. However, the Windows 2000 security update that is released as part of this security bulletin contains updated files that were not part of the MS03-043 (828035) security bulletin. Customers have to apply this Windows 2000 security update even if they applied the Windows 2000 security updates for MS03-043 (828035).
Note the following mitigation strategies from Microsoft's Advisory:
- If users have blocked inbound UDP ports 138, 139, 445 and TCP ports 138, 139, 445 by using a firewall an attacker would be prevented from sending messages to the Workstation service. Most firewalls, including Internet Connection Firewall in Windows XP, block these ports by default.
- Disabling the Workstation service will prevent the possibility of attack. However there are a number of impacts when performing this workaround. Please see the Workaround section for more details.
- Only Windows 2000 and Window XP are affected. Other operating systems are not vulnerable to this attack.
Systems Affected
References
http://www.microsoft.com/technet/security/bulletin/MS03-049.asp
http://www.eeye.com/html/Research/Advisories/AD20031111.html
Credit
This issue was reported by eEye Digital Security and published in the monthly Microsoft Security Bulletin.
This document was written by Jason A Rafail.
Other Information
| Date Public: | 2003-11-11 |
| Date First Published: | 2003-11-11 |
| Date Last Updated: | 2003-11-12 |
| CERT Advisory: | CA-2003-28 |
| CVE-ID(s): | CAN-2003-0812 |
| NVD-ID(s): | CAN-2003-0812 |
| US-CERT Technical Alerts: | |
| Metric: | 45.56 |
| Document Revision: | 15 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|
Get Adobe Reader