SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#650769

Microsoft Windows Server service buffer overflow

Overview

A stack-based buffer overflow exists in the Microsoft Server service. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code with SYSTEM privileges.

I. Description

Microsoft Server Service

MS06-040 includes the following information:

    The Server service provides RPC support, file print support and named pipe sharing over the network. The Server service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. It also allows named pipe communication between applications running on other computers and your computer, which is used for RPC.
Microsoft Remote Procedure Call (MS RPC) and Server Message Block (SMB)

RPC provides a mechanism that allows a program to execute a procedure on a remote system in a way that is transparent to the calling program. MS RPC is the Microsoft implementation of RPC. Windows services that use MS RPC may use SMB named pipes as the transport service for MS RPC calls.

The Problem

A stack-based buffer overflow exists in the Microsoft Server service. If a remote attacker sends a specially crafted packet to a vulnerable Windows system, that attacker may be able to trigger the buffer overflow.

Note that we have received reports that this vulnerability is actively being exploited.

More information, including a list of affected versions of Windows, is available in Microsoft Security Bulletin MS06-040. We have confirmed that this vulnerability affects Windows NT4. However, according to Microsoft Security Bulletin MS06-040:
    Windows NT Workstation 4.0 Service Pack 6a, Windows NT Server 4.0 Service Pack 6a, Windows 2000 Service Pack 2, and Windows 2000 Service Pack 3 have reached the end of their support life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.
Windows NT4 users should observe the workarounds below as well as the recommendations in the Microsoft Windows NT 4.0 and Windows 98 Threat Mitigation Guide.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary code with SYSTEM privileges.

III. Solution

Apply a patch from Microsoft

Microsoft addresses this vulnerability with the updates listed in Microsoft Security Bulletin MS06-040.

Microsoft has released a new version of Security Bulletin MS06-040 and the associated security updates. The new version corrects the problem described in Microsoft Knowledge Base Article 921883. Programs that request large amounts of contiguous memory running on Windows Server 2003 SP1 and Windows XP Professional x64 Edition systems with the previous version of the MS06-040 update installed could crash.

Until a patch can be applied, the following actions may reduce the chances of exploitation:

Block or Restrict Access

Block access to SMB services (139/tcp, 445/tcp) from untrusted networks such as the Internet.

Restrict anonymous access

Restrict anonymous SMB access. See Microsoft Knowledge Base Article 246261 for information about configuring anonymous access in Windows 2000. Note this will not prevent authenticated users from exploiting this vulnerability, and may have adverse affects in mixed-mode domains. Anonymous SMB access to SAM accounts is restricted in Windows XP and Windows Server 2003 by default.

Other workarounds are available in Microsoft Security Bulletin MS06-040.

Systems Affected

VendorStatusDate Updated
Microsoft CorporationVulnerable3-Aug-2006

References

http://www.us-cert.gov/cas/techalerts/TA06-220A.html
http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx
http://support.microsoft.com/kb/246261/
http://support.microsoft.com/kb/328459/
http://blogs.technet.com/msrc/archive/2006/08/15/446848.aspx
http://www.microsoft.com/technet/security/topics/networksecurity/threatmi.mspx

Credit

This vulnerability was reported in Microsoft Security Bulletin MS06-040.

This document was written by Jeff Gennari.

Other Information

Date Public08/08/2006
Date First Published08/08/2006 01:28:00 PM
Date Last Updated09/18/2006
CERT Advisory 
CVE NameCVE-2006-3439
US-CERT Technical Alerts 
Metric58.28
Document Revision81

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2006 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader