__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Buffer Overrun in Messenger Service Could Allow Code Execution [MS03-043] October 15, 2003 19:00 GMT Number O-004 [REVISED 17 Oct 2003] [REVISED 30 Oct 2003] ______________________________________________________________________________ PROBLEM: A buffer overflow exists in the Messenger Service that could allow arbitrary code executionon an affected system. Note that this is not the Windows Messenger Instant Messaging Program. SOFTWARE: MS Windows NT Workstation 4.0, Service Pack 6a MS Windows NT Server 4.0, Service Pack 6a MS Windows NT Server 4.0, Terminal Server Edition, Service 6 MS Windows 2000, Service Pack 2 MS Windows 2000, Service Pack 3, Service Pack 4 MS Windows XP Gold, Service Pack 1 MS Windows XP 64-bit Edition MS Windows XP 64-bit Edition Version 2003 MS Windows Server 2003 MS Windows Server 2003 64-bit Edition Internet Scanner XPU System Scanner SR 3.22 Proventia A Series 22.1 RealSecure Network 22.1/2.20, 22.1 DAMAGE: An attacker would be able to run code with Local System privileges and take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges. SOLUTION: Customers should disable the Messenger Service immediately and eveluate their need to deploy the patch. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. The attacker could install programs, view, ASSESSMENT: change, or delete data, or create new accounts with full privileges. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-004.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview/default.asp?url= /technet/security/bulletin/MS03-043.asp CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2003-0717 ADDITIONAL LINKS: Internet Security Systems http://xforce.iss.net/xforce/alerts/id/156 CERT Advisory CA-2003-27 http://www.cert.org/advisories/CA-2003-27.html Symantec http://securityresponse.symantec.com/avcenter/security/ Content/8826.html ______________________________________________________________________________ REVISION HISTORY: 10/17/03 - updated to show that Internet Security Systems (ISS) has updated packages for Internet Scanner, System Scanner, RealSecure Network and Server, and Proventia; and added a link to Internet Security Systems, CERT Advisory CA-2003-27, and Symantec. 10/30/03 - Microsoft released a revised security patch for Windows 2000, Windows XP, and Windows Server 2003 to address the problem described in their Knowledge Base Article #830846 where installation of the previous patch may stop responding (hang). The revised patch contains version 5.4.1.0 of Update.exe. Version 5.4.1.0 or later versions of Update.exe no longer require the Debug Programs user right. [***** Start MS03-043 *****] Microsoft Security Bulletin MS03-043 Buffer Overrun in Messenger Service Could Allow Code Execution (828035) Issued: October 15, 2003 Version Number: 1.0 Summary Who Should Read This Document: Customers using Microsoft® Windows® Impact of Vulnerability: Remote Code Execution Maximum Severity Rating: Critical Recommendation: Customers should disable the Messenger Service immediately and evaluate their need to deploy the patch Patch Replacement: None Caveats: None Tested Software and Patch Download Locations: Affected Software: * Microsoft Windows NT Workstation 4.0, Service Pack 6a - Download the patch * Microsoft Windows NT Server 4.0, Service Pack 6a - Download the patch * Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 - Download the patch * Microsoft Windows 2000, Service Pack 2 - Download the patch * Microsoft Windows 2000, Service Pack 3, Service Pack 4 - Download the patch * Microsoft Windows XP Gold, Service Pack 1 - Download the patch * Microsoft Windows XP 64-bit Edition - Download the patch * Microsoft Windows XP 64-bit Edition Version 2003 - Download the patch * Microsoft Windows Server 2003 - Download the patch * Microsoft Windows Server 2003 64-bit Edition - Download the patch Non Affected Software: * Microsoft Windows Millennium Edition The software listed above has been tested to determine if the versions are affected. Other versions are no longer supported, and may or may not be affected. Technical Details Technical Description: A security vulnerability exists in the Messenger Service that could allow arbitrary code execution on an affected system. The vulnerability results because the Messenger Service does not properly validate the length of a message before passing it to the allocated buffer. An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system, or could cause the Messenger Service to fail. The attacker could then take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges. Mitigating factors: * Messages are delivered to the Messenger service via NetBIOS or RPC. If users have blocked the NetBIOS ports (ports 137-139) - and UDP broadcast packets using a firewall, others will not be able to send messages to them on those ports. Most firewalls, including Internet Connection Firewall in Windows XP, block NetBIOS by default. * Disabling the Messenger Service will prevent the possibility of attack. * On Windows Server 2003 systems, the Messenger Service is disabled by default. Severity Rating: * Windows NT Critical * Windows Server NT 4.0 Terminal Server Edition Critical * Windows 2000 Critical * Windows XP Critical * Windows Server 2003 Moderate The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: CAN-2003-0717 Workarounds Microsoft has tested the following workarounds. These workarounds will not correct the underlying vulnerability however they help block known attack vectors. Workarounds may cause a reduction in functionality in some cases – in such situations this is identified below. * Use a personal firewall such as Internet Connection Firewall (only available on XP and Windows Server 2003). If you are using the Internet Connection Firewall in Windows XP or Windows Server 2003 to protect your Internet connection, it will by default block inbound RPC traffic from the Internet. To enable Internet Connection Firewall feature using the Network Setup Wizard: 1. Run the Network Setup Wizard. To access this wizard, point to Control Panel, double- click Network and Internet Connections, and then click Setup or change your home or small office network. 2. The Internet Connection Firewall is enabled when you choose a configuration in the wizard that indicates that your computer is connected directly to the Internet. To configure Internet Connection Firewall manually for a connection: 1. In Control Panel, double-click Networking and Internet Connections, and then click Network Connections. 2. Right-click the connection on which you would like to enable ICF, and then click Properties. 3. On the Advanced tab, click the box to select the option to Protect my computer or network. 4. If you want to enable the use of some applications and services through the firewall, you need to enable them by clicking the Settings button, and then selecting the programs, protocols, and services to be enabled for the ICF configuration. * Disable the Messenger Service Disabling the messenger service will prevent the possibility of an attack. You can disable the messenger service by performing the following: 1. Click Start, and then click Control Panel (or point to Settings, and then click Control Panel). 2. Double-click Administrative Tools. 3. Double-click Services. 4. Double-click Messenger. 5. In the Startup type list, click Disabled. 6. Click Stop, and then click OK. Impact of Workaround: If the Messenger service is disabled, messages from the Alerter service (for example notifications from your backup software or Uninterruptible Power Supply) are not transmitted. If the Messenger service is disabled, any services that explicitly depend on the Messenger service do not start, and an error message is logged in the System event log. Security Patch Information Installation platforms and Prerequisites: For information about the specific security patch for your platform, click the appropriate link: * Windows Server 2003 (all versions) * Windows XP (all versions) * Windows 2000 * Windows NT 4.0 (all versions) Acknowledgments Microsoft thanks the following for working with us to protect customers: * The Last Stage of Delirium Research Group for reporting the issue in MS03-043. Obtaining other security patches: Patches for other security issues are available from the following locations: * Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". * Patches for consumer platforms are available from the WindowsUpdate web site Support: * Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls associated with security patches. Security Resources: * The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. * Microsoft Software Update Services: http://www.microsoft.com/sus/ * Microsoft Baseline Security Analyzer (MBSA) details: http://www.microsoft.com/mbsa. Please see http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 for list of security patches that have detection limitations with MBSA tool. * Windows Update Catalog: http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166 * Windows Update: http://windowsupdate.microsoft.com * Office Update: http://office.microsoft.com/officeupdate/ Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: *V1.0 (October 15, 2003): Bulletin published. [***** End MS03-043 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) N-153: New Worms and Helpful Computer Users N-154: IBM DB2 Buffer Overflow Vulnerabilities N-155: Red Hat Updated Perl packages fix security issues N-156: ProFTPD ASCII File Remote Compromise Vulnerability N-157: CERT/CC Vulnerability Note OpenSSH PAM challenge authentication failure N-158: CERT/CC Vulnerability Note Portable OpenSSH server PAM N-159: OpenSSL Security Advisory vulnerabilities in ASN.1 parsing O-001: Sun aspppls(1M) does not create the temporary file /tmp/.asppp.fifo safely O-002: Microsoft Internet Explorer Cumulative Patch O-003: HP Potential Security Vulnerability in dtprintinfo