__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Microsoft Buffer Overrun in Messenger Service Could Allow Code Execution
[MS03-043]
October 15, 2003 19:00 GMT Number O-004
[REVISED 17 Oct 2003]
[REVISED 30 Oct 2003]
______________________________________________________________________________
PROBLEM: A buffer overflow exists in the Messenger Service that could
allow arbitrary code executionon an affected system. Note that
this is not the Windows Messenger Instant Messaging Program.
SOFTWARE: MS Windows NT Workstation 4.0, Service Pack 6a
MS Windows NT Server 4.0, Service Pack 6a
MS Windows NT Server 4.0, Terminal Server Edition, Service 6
MS Windows 2000, Service Pack 2
MS Windows 2000, Service Pack 3, Service Pack 4
MS Windows XP Gold, Service Pack 1
MS Windows XP 64-bit Edition
MS Windows XP 64-bit Edition Version 2003
MS Windows Server 2003
MS Windows Server 2003 64-bit Edition
Internet Scanner XPU
System Scanner SR 3.22
Proventia A Series 22.1
RealSecure Network 22.1/2.20, 22.1
DAMAGE: An attacker would be able to run code with Local System
privileges and take any action on the system, including
installing programs, viewing, changing or deleting data, or
creating new accounts with full privileges.
SOLUTION: Customers should disable the Messenger Service immediately and
eveluate their need to deploy the patch.
______________________________________________________________________________
VULNERABILITY The risk is HIGH. The attacker could install programs, view,
ASSESSMENT: change, or delete data, or create new accounts with full
privileges.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-004.shtml
ORIGINAL BULLETIN:
http://www.microsoft.com/technet/treeview/default.asp?url=
/technet/security/bulletin/MS03-043.asp
CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=
CAN-2003-0717
ADDITIONAL LINKS: Internet Security Systems
http://xforce.iss.net/xforce/alerts/id/156
CERT Advisory CA-2003-27
http://www.cert.org/advisories/CA-2003-27.html
Symantec
http://securityresponse.symantec.com/avcenter/security/
Content/8826.html
______________________________________________________________________________
REVISION HISTORY:
10/17/03 - updated to show that Internet Security Systems (ISS) has updated
packages for Internet Scanner, System Scanner, RealSecure Network
and Server, and Proventia; and added a link to Internet Security
Systems, CERT Advisory CA-2003-27, and Symantec.
10/30/03 - Microsoft released a revised security patch for Windows 2000,
Windows XP, and Windows Server 2003 to address the problem
described in their Knowledge Base Article #830846 where
installation of the previous patch may stop responding (hang).
The revised patch contains version 5.4.1.0 of Update.exe.
Version 5.4.1.0 or later versions of Update.exe no longer require
the Debug Programs user right.
[***** Start MS03-043 *****]
Microsoft Security Bulletin MS03-043
Buffer Overrun in Messenger Service Could Allow Code Execution (828035)
Issued: October 15, 2003
Version Number: 1.0
Summary
Who Should Read This Document: Customers using Microsoft® Windows®
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Recommendation: Customers should disable the Messenger Service immediately and evaluate
their need to deploy the patch
Patch Replacement: None
Caveats: None
Tested Software and Patch Download Locations:
Affected Software:
* Microsoft Windows NT Workstation 4.0, Service Pack 6a - Download the patch
* Microsoft Windows NT Server 4.0, Service Pack 6a - Download the patch
* Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 - Download the
patch
* Microsoft Windows 2000, Service Pack 2 - Download the patch
* Microsoft Windows 2000, Service Pack 3, Service Pack 4 - Download the patch
* Microsoft Windows XP Gold, Service Pack 1 - Download the patch
* Microsoft Windows XP 64-bit Edition - Download the patch
* Microsoft Windows XP 64-bit Edition Version 2003 - Download the patch
* Microsoft Windows Server 2003 - Download the patch
* Microsoft Windows Server 2003 64-bit Edition - Download the patch
Non Affected Software:
* Microsoft Windows Millennium Edition
The software listed above has been tested to determine if the versions are affected.
Other versions are no longer supported, and may or may not be affected.
Technical Details
Technical Description:
A security vulnerability exists in the Messenger Service that could allow arbitrary code
execution on an affected system. The vulnerability results because the Messenger Service
does not properly validate the length of a message before passing it to the allocated
buffer.
An attacker who successfully exploited this vulnerability could be able to run code with
Local System privileges on an affected system, or could cause the Messenger Service to
fail. The attacker could then take any action on the system, including installing programs,
viewing, changing or deleting data, or creating new accounts with full privileges.
Mitigating factors:
* Messages are delivered to the Messenger service via NetBIOS or RPC. If users have
blocked the NetBIOS ports (ports 137-139) - and UDP broadcast packets using a firewall,
others will not be able to send messages to them on those ports. Most firewalls,
including Internet Connection Firewall in Windows XP, block NetBIOS by default.
* Disabling the Messenger Service will prevent the possibility of attack.
* On Windows Server 2003 systems, the Messenger Service is disabled by default.
Severity Rating:
* Windows NT Critical
* Windows Server NT 4.0 Terminal Server Edition Critical
* Windows 2000 Critical
* Windows XP Critical
* Windows Server 2003 Moderate
The above assessment is based on the types of systems affected by the vulnerability, their
typical deployment patterns, and the effect that exploiting the vulnerability would have
on them.
Vulnerability identifier: CAN-2003-0717
Workarounds
Microsoft has tested the following workarounds. These workarounds will not correct the
underlying vulnerability however they help block known attack vectors. Workarounds may
cause a reduction in functionality in some cases – in such situations this is identified
below.
* Use a personal firewall such as Internet Connection Firewall (only available on XP and
Windows Server 2003).
If you are using the Internet Connection Firewall in Windows XP or Windows Server 2003
to protect your Internet connection, it will by default block inbound RPC traffic from
the Internet.
To enable Internet Connection Firewall feature using the Network Setup Wizard:
1. Run the Network Setup Wizard. To access this wizard, point to Control Panel, double-
click Network and Internet Connections, and then click Setup or change your home or
small office network.
2. The Internet Connection Firewall is enabled when you choose a configuration in the
wizard that indicates that your computer is connected directly to the Internet.
To configure Internet Connection Firewall manually for a connection:
1. In Control Panel, double-click Networking and Internet Connections, and then click
Network Connections.
2. Right-click the connection on which you would like to enable ICF, and then click
Properties.
3. On the Advanced tab, click the box to select the option to Protect my computer or
network.
4. If you want to enable the use of some applications and services through the firewall,
you need to enable them by clicking the Settings button, and then selecting the
programs, protocols, and services to be enabled for the ICF configuration.
* Disable the Messenger Service
Disabling the messenger service will prevent the possibility of an attack. You can
disable the messenger service by performing the following:
1. Click Start, and then click Control Panel (or point to Settings, and then click
Control Panel).
2. Double-click Administrative Tools.
3. Double-click Services.
4. Double-click Messenger.
5. In the Startup type list, click Disabled.
6. Click Stop, and then click OK.
Impact of Workaround: If the Messenger service is disabled, messages from the Alerter
service (for example notifications from your backup software or Uninterruptible Power
Supply) are not transmitted. If the Messenger service is disabled, any services that
explicitly depend on the Messenger service do not start, and an error message is logged
in the System event log.
Security Patch Information
Installation platforms and Prerequisites:
For information about the specific security patch for your platform, click the appropriate
link:
* Windows Server 2003 (all versions)
* Windows XP (all versions)
* Windows 2000
* Windows NT 4.0 (all versions)
Acknowledgments
Microsoft thanks the following for working with us to protect customers:
* The Last Stage of Delirium Research Group for reporting the issue in MS03-043.
Obtaining other security patches:
Patches for other security issues are available from the following locations:
* Security patches are available from the Microsoft Download Center, and can be most
easily found by doing a keyword search for "security_patch".
* Patches for consumer platforms are available from the WindowsUpdate web site
Support:
* Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY.
There is no charge for support calls associated with security patches.
Security Resources:
* The Microsoft TechNet Security Web Site provides additional information about security
in Microsoft products.
* Microsoft Software Update Services: http://www.microsoft.com/sus/
* Microsoft Baseline Security Analyzer (MBSA) details: http://www.microsoft.com/mbsa.
Please see http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 for list of
security patches that have detection limitations with MBSA tool.
* Windows Update Catalog: http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166
* Windows Update: http://windowsupdate.microsoft.com
* Office Update: http://office.microsoft.com/officeupdate/
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without
warranty of any kind. Microsoft disclaims all warranties, either express or implied,
including the warranties of merchantability and fitness for a particular purpose. In no
event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits or special
damages, even if Microsoft Corporation or its suppliers have been advised of the
possibility of such damages. Some states do not allow the exclusion or limitation of
liability for consequential or incidental damages so the foregoing limitation may not
apply.
Revisions:
*V1.0 (October 15, 2003): Bulletin published.
[***** End MS03-043 *****]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Microsoft for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
N-153: New Worms and Helpful Computer Users
N-154: IBM DB2 Buffer Overflow Vulnerabilities
N-155: Red Hat Updated Perl packages fix security issues
N-156: ProFTPD ASCII File Remote Compromise Vulnerability
N-157: CERT/CC Vulnerability Note OpenSSH PAM challenge authentication failure
N-158: CERT/CC Vulnerability Note Portable OpenSSH server PAM
N-159: OpenSSL Security Advisory vulnerabilities in ASN.1 parsing
O-001: Sun aspppls(1M) does not create the temporary file /tmp/.asppp.fifo safely
O-002: Microsoft Internet Explorer Cumulative Patch
O-003: HP Potential Security Vulnerability in dtprintinfo
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
