Original release date: November 11, 2003<br>
Last revised: <a href="#revisions">Nov. 20, 2003</a><br>
Source: CERT/CC<br>
<p>
A complete revision history is at the end of this file.
</p>
<br>
<h3>Systems Affected</h3>
<ul>
<li>Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service
Pack 4</li>
<li>Microsoft Windows XP</li>
<li>Microsoft Windows XP Service Pack 1</li>
<li> Microsoft Windows XP 64-Bit Edition</li>
</ul>
<br>
<a name="overview"></a>
<h2>Overview</h2>
<p>
A buffer overflow vulnerability exists in Microsoft's Windows Workstation
Service (WKSSVC.DLL).
<p>A remote attacker could exploit this vulnerability to execute arbitrary
code or cause a denial of
service.
</p>
<br>
<a name="description"></a>
<h2>I. Description</h2>
<p>Microsoft's Security Bulletin <a
href="http://www.microsoft.com/technet/security/bulletin/MS03-049.asp">MS03-049</a>
discusses a buffer overflow in Microsoft's Workstation Service that can be
exploited via a specially crafted network message.
<p>According to the eEye Digital Security Advisory <a
href="http://www.eeye.com/html/Research/Advisories/AD20031111.html">AD20031111</a>,
the vulnerability is caused by a flaw in the network management functions
of the DCE/RPC service and a logging function implemented in Workstation
Service (WKSSVC.DLL). Various RPC functions will permit the passing of
long strings to the <font face=courier>vsprintf()</font> routine that is
used to create log entries. The <font face=courier>vsprintf()</font>
routine contains no bounds checking for parameters thus creating a buffer
overflow situation.
<p>Two exploits and a proof-of-concept exploit have been reported for this
vulnerability.
<p>The CERT/CC is tracking this issue as <A
HREF="http://www.kb.cert.org/vuls/id/567620">VU#567620</A>. This
reference number corresponds to <A
HREF="http://www.cve.mitre.org/">CVE</A> candidate <A
HREF="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0812">CAN-2003-0812</A>.</p>
<a name="impact"></a>
<h2>II. Impact</h2>
A remote attacker could exploit this vulnerability to execute
arbitrary code with system-level privileges or to cause a denial of
service. The exploit vector and impact for this vulnerability are
conducive to automated attacks such as worms.
<br>
<a name="solution"></a>
<h2>III. Solution</h2>
<h4>Apply a patch from your vendor</h4>
<p>
Apply the appropriate patch as specified in Microsoft Security Bulletin <a
href="http://microsoft.com/technet/security/bulletin/MS03-049.asp"
>MS03-049</a>. </p>
<p>
<a href="#vendors">Appendix A</a> contains additional information
provided by vendors for this advisory. As vendors report new
information to the CERT/CC, we will update this section and note
the changes in our revision history. If a particular vendor is
not listed below or in the individual <a
href="http://www.kb.cert.org/vuls/id/568148#systems">vulnerability
notes</a>, we have not received their comments. Please contact
your vendor directly.
</p>
<a name="solution.restrict"></a>
<h4>Restrict access</h4>
<p>
You may wish to block access from outside your network perimeter,
specifically by blocking access to TCP & UDP ports 138, 139, and
445. This will limit your exposure to attacks. However, blocking at
the network perimeter would still allow attackers within the perimeter
of your network to exploit the vulnerability. It is important to
understand your network's configuration and service requirements
before deciding what changes are appropriate.
</p>
<p>
The CERT/CC has confirmed that one exploit connects to TCP
port 445 on the victim machine to exploit this vulnerability. Once
exploitation is successful, it then listens on TCP port
4444. You may wish to monitor for this and other open ports as an
indication of exploitation.</p>
<a name="solution.disable"></a> <h4>Disable the Workstation Service</h4>
<p> Depending on site requirements, you may wish to disable the
Workstation Service as described in <a
href="http://microsoft.com/technet/security/bulletin/MS03-049.asp">MS03-049</a>.
Disabling the Workstation Service will help protect against this
vulnerability, but may also cause undesirable side effects. According to
the Microsoft's Security Bulletin, the impacts of disabling the
Workstation Service are as follows:
<blockquote>
"If the Workstation service is disabled, the system cannot connect to any
shared file resources or shared print resources on a network. Only use
this workaround on stand-alone systems (such as many home systems) that do
not connect to a network. If the Workstation service is disabled, any
services that explicitly depend on the Workstation service do not start,
and an error message is logged in the system event log. The following
services depend on the Workstation service:
<ul>
<li> Alerter
<li> Browser
<li> Messenger
<li> Net Logon
<li> RPC Locator
</ul>
<p>These services are required to access resources on a network and to
perform domain authentication. Internet connectivity and browsing for
stand-alone systems, such as users on dial-up connections, on DSL
connections, or on cable modem connections, should not be affected if
these services are disabled.
<p>Note: The Microsoft Baseline Security Analyzer will not function if the
Workstation service is disabled. It is possible that other applications
may also require the Workstation service. If an application requires the
Workstation service, simply re-enable the service. This can be performed
by changing the Startup Type for the Workstation service back to Automatic
and restarting the system."
</blockquote>
</p>
<a name="vendors"></a>
<h2>Appendix A. - Vendor Information</h2>
<p>
This appendix contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we
will update this section and note the changes in our revision
history. If a particular vendor is not listed below or in the
individual <a
href="http://www.kb.cert.org/vuls/id/567620#systems">vulnerability
notes</a>, we have not received their comments.
</p>
<a name="microsoft">
<h4>Microsoft Corporation</h4>
<blockquote>
Microsoft has released <a
href="http://microsoft.com/technet/security/bulletin/MS03-049.asp"
>MS03-049</a>.
</blockquote>
<!-- end vendor -->
<p>
<hr noshade>
This vulnerability was discoved by eEye Digital Security and reported in
Microsoft Security Bulletin MS03-049.
<hr noshade>
<p>Author: <a
href="mailto:cert@cert.org?subject=CA-2003-28%20Feedback%20VU%23567620">Jason
A Rafail.</a>
<p></p>
<!--#include virtual="/include/footer_nocopyright2.html" -->
<p>Copyright 2003 Carnegie Mellon University.</p>
<p><a name="revisions">Revision History</a>
<tt><pre>
Nov 11, 2003: Initial release
Nov 20, 2003: Added information regarding exploits
</pre></tt>
</p>
|