[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 397/03 - Microsoft - Buffer Overrun in Windows Could Lead to Data Corruption + Flaw in Windows Message Handling through Utility Manager Could Enable Privilege Elevation



-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 397/03 dated 10.07.03  Time: 13:10
 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre)
- ----------------------------------------------------------------------------------
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Two Microsoft Security Bulletins - MS03-024 + MS03-025:

1: Buffer Overrun in Windows Could Lead to Data Corruption

2: Flaw in Windows Message Handling through Utility Manager Could Enable Privilege Elevation

Detail
======

1: Buffer Overrun in Windows Could Lead to Data Corruption

Microsoft Security Bulletin MS03-024

Buffer Overrun in Windows Could Lead to Data Corruption (817606)
Originally posted: July 09, 2003

Summary
Who should read this bulletin: Customers using Microsoft® Windows® NT, Microsoft
Windows 2000, or Microsoft Windows XP

Impact of vulnerability: Allow an attacker to execute code of their choice

Maximum Severity Rating: Important

Recommendation: Administrators should consider installing the patch.

Affected Software:

Microsoft Windows NT Server 4.0
Microsoft Windows NT Server 4.0, Terminal Server Edition
Microsoft Windows 2000
Windows XP Professional
Not Affected Software:
Microsoft Windows Server 2003

 Technical details
Technical description:


Server Message Block (SMB) is the Internet Standard protocol that Windows
uses to share files, printers, serial ports, and to communicate between
computers using named pipes and mail slots. In a networked environment,
servers make file systems and resources available to clients. Clients make
 SMB requests for resources, and servers make SMB responses in what?s described
 as a client server request-response protocol.

A flaw exists in the way that the server validates the parameters of an SMB
packet. When a client system sends an SMB packet to the server system, it
includes specific parameters that provide the server with a set of ?instructions.?
In this case, the server is not properly validating the buffer length
established by the packet. If the client specifies a buffer length that is less
than what is needed, it can cause the buffer to be overrun.

By sending a specially crafted SMB packet request, an attacker could cause a buffer
overrun to occur. If exploited, this could lead to data corruption, system failure,
 or?in the worst case?it could allow an attacker to run the code of their choice.
An attacker would need a valid user account and would need to be authenticated by
the server to exploit this flaw.

Mitigating factors:

Windows Server 2003 is not affected by this vulnerability.
By default, it is not possible to exploit this flaw anonymously. The attacker would
have to be authenticated by the server prior to attempting to send a SMB packet to it.
Blocking port 139/445 at the firewall will prevent the possibility of an attack from
 the Internet.
Severity Rating: Windows NT Server 4.0 Important
Windows NT Server 4.0,
Terminal Server Edition Important
Windows 2000 Important
Windows XP Professional Important
The above assessment is based on the types of systems affected by the vulnerability,
 their typical deployment patterns, and the effect that exploiting the vulnerability
 would have on them.

Vulnerability identifier: CAN-2003-0345

Tested Versions:
Microsoft tested Windows NT Server 4.0, Windows NT Server 4.0, Terminal Services
Edition, Windows 2000, Windows XP and Windows Server 2003 to assess whether they
 are affected by this vulnerability. Previous versions are no longer supported,
and may or may not be affected by these vulnerabilities.


Frequently asked questions
What?s the scope of the vulnerability?

This is a buffer overrun vulnerability that could lead to data corruption, system
failure or allow an attacker to run the code of their choice.

To successfully exploit this flaw, an attacker would have to first be authenticated
by the server. By default, it is not possible to exploit this flaw anonymously.

What causes the vulnerability?

The vulnerability results because of insufficient validation by the system of the
buffer size for certain incoming SMB packets. SMB is a client to server based
protocol and when the client system sends an SMB command to the server, it should
validate the parameters set in the packet and respond accordingly.

In the case of this flaw, the recipient system doesn?t validate the buffer size
necessary before responding. This could cause a buffer overrun which could lead
to data corruption, system failure or allow an attacker to run the code of their choice.

What is SMB?

SMB (Server Message Block)?and its follow-on, Common Internet File System (CIFS)?is
the Internet Standard protocol that Windows uses to share files, printers, serial ports,
and also to communicate between computers using named pipes and mail slots. In a
networked environment, servers make file systems and resources available to clients.
Clients make SMB requests for resources and servers make SMB responses in what is
described as a client server, request-response protocol.

Does this vulnerability affect CIFS as well?

Common Internet File System (CIFS) is an Internet Standard protocol. The vulnerability
described here resides specifically in Microsoft?s implementation of the protocol
and not the protocol itself.

What's wrong with Microsoft?s implementation of the protocol?

There is a flaw in the way that the server validates the parameters of an SMB packet.
When a client system sends an SMB packet to the server system, it includes specific
parameters that provide the server with a set of ?instructions.? In this case, the
server does not properly validate the buffer length established by the packet. If
the client specifies a buffer length less than what is needed, it can cause the
buffer to be overrun. This could result in random data being written to memory,
which could cause data corruption or system failure, or it could also allow an
attacker to run the code of their choice.

What could this vulnerability enable an attacker to do?

If an attacker were able to successfully exploit this vulnerability, they could
cause random areas of memory to be overwritten. The resulting effect of this could
be data corruption, system failure or allow an attacker to run the code of their choice.

What sort of data would be corrupted?

Essentially, any data in memory could be randomly overwritten. In the worst case,
system memory could be overwritten causing the server to fail.

How could an attacker exploit this vulnerability?

An attacker could seek to exploit this vulnerability by creating a specifically
malformed SMB packet and sending it to the server. The attacker would first require
a valid user name and password to be authenticated by the server. By default,
there is no means to anonymously exploit this vulnerability.

What does the patch do?

The patch eliminates the vulnerability by implementing proper validation of the
parameters set on SMB packets.

Patch availability
Download locations for this patch
Windows NT 4.0 Server

Windows NT 4.0, Terminal Server Edition

Windows 2000 Server

Windows XP 32 bit Edition

Windows XP 64 bit Edition

 Additional information about this patch
Installation platforms:
This patch can be installed on systems running:
Windows NT Server 4.0:
The Windows NT Server 4.0 patch can be installed on systems running Windows NT Server
4.0 Service Pack 6a.
Windows NT Server, Terminal Server Edition:
The Windows NT Server, Terminal Server Edition patch can be installed on systems
running Windows NT Server, Terminal Server Edition Service Pack 6.
Windows 2000:
The Windows 2000 patch can be installed on systems running Windows 2000 Service Pack 3.
Windows XP:
The patch for Windows XP can be installed on systems running Windows XP Gold or
Windows XP Service Pack 1.
Inclusion in future service packs:


The fix for this issue is included in Service Pack 4.
The fix for this issue will be included in Windows XP Service Pack 2.
Reboot needed: Yes

Patch can be uninstalled: Yes

Superseded patches: None.

Verifying patch installation:

Windows NT 4.0: To verify that the patch has been installed on the machine,
confirm that all files listed in the file manifest in Knowledge Base article
817606 are present on the system.

Windows NT 4.0 Terminal Server Edition: To verify that the patch has been
installed on the machine, confirm that all files listed in the file manifest
in Knowledge Base article 817606 are present on the system.

Windows 2000: To verify that the patch has been installed on the machine,
confirm that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q817606.
To verify the individual files, use the date/time and version information
provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Updates\Windows 2000\SP4\Q817606\Filelist.

Windows XP:

If installed on Windows XP Gold:
To verify that the patch has been installed, confirm that the following registry
key has been created on the machine: HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q817606.
To verify the individual files, use the date/time and version information
provided in the following registry key: HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q817606\Filelist.


If installed on Windows XP Service Pack 1:
To verify that the patch has been installed, confirm that the following registry
key has been created on the machine: HKLM\Software\Microsoft\Updates\Windows XP\SP2\Q817606.
To verify the individual files, use the date/time and version information provided
in the following registry key: HKLM\Software\Microsoft\Updates\Windows XP\SP2\Q817606\Filelist.

Caveats:
None

Localization:
Localized versions of this patch are available at the locations discussed in ?Patch Availability?.

Obtaining other security patches:
Patches for other security issues are available from the following locations:

Security patches are available from the Microsoft Download Center, and can be
most easily found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web site
Other information:
Acknowledgments
Microsoft thanks  Jeremy Allison and Andrew Tridgell, Samba Team for
reporting this issue to us and working with us to protect customers.

Support:

Microsoft Knowledge Base article 817606 discusses this issue and will
be available approximately 24 hours after the release of this bulletin.
Knowledge Base articles can be found on the Microsoft Online Support web site.
Technical support is available from Microsoft Product Support Services.
There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides
additional information about security in Microsoft products.

Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is"
without warranty of any kind. Microsoft disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness
for a particular purpose. In no event shall Microsoft Corporation or its
suppliers be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages, even
if Microsoft Corporation or its suppliers have been advised of the possibility
of such damages. Some states do not allow the exclusion or limitation of
liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:
V1.0 July 09, 2003: Bulletin Created.

=============================================================================================

2: Flaw in Windows Message Handling through Utility Manager Could Enable Privilege Elevation

Microsoft Security Bulletin MS03-025


Flaw in Windows Message Handling through Utility Manager Could Enable Privilege Elevation (822679)
Originally posted: July 9, 2003

Summary
Who should read this bulletin: Customers using Microsoft® Windows® 2000

Impact of vulnerability: Privilege elevation

Maximum Severity Rating: Important

Recommendation: Customers should install the patch at the earliest opportunity.

End User Bulletin: An end user version of this bulletin is available at:

http://www.microsoft.com/security/security_bulletins/ms03-025.asp.

Affected Software:

Microsoft Windows 2000

Not Affected Software:
Microsoft Windows Me
Microsoft Windows NT Server 4.0
Microsoft Windows NT Server, Terminal Services Edition
Microsoft Windows XP
Microsoft Windows Server 2003

 Technical details
Technical description:


Microsoft Windows 2000 contains support for Accessibility options within the operating
system. Accessibility support is a series of assistive technologies within Windows
that allow users with disabilities to still be able to access the functions of the
operating system. Accessibility support is enabled or disabled through shortcuts
built into the operating system, or through the Accessibility Utility Manager. Utility
Manager is an accessibility utility that allows users to check the status of
accessibility programs (Microsoft Magnifier, Narrator, On?Screen Keyboard) and to
start or stop them.

There is a flaw in the way that Utility Manager handles Windows messages. Windows
messages provide a way for interactive processes to react to user events (for
example, keystrokes or mouse movements) and communicate with other interactive
processes. A security vulnerability results because the control that provides the list
of accessibility options to the user does not properly validate Windows messages sent to
it. It's possible for one process in the interactive desktop to use a specific Windows
message to cause the Utility Manager process to execute a callback function at the address
of its choice. Because the Utility Manager process runs at higher privileges than the
first process, this would provide the first process with a way of exercising those
higher privileges.

By default, the Utility Manager contains controls that run in the interactive desktop
with Local System privileges. As a result, an attacker who had the ability to log on
to a system interactively could potentially run a program that could send a specially
crafted Windows message upon the Utility Manager process, causing it to take any action
the attacker specified. This would give the attacker complete control over the system.

The attack cannot be exploited remotely, and the attacker would have to have the ability
to interactively log on to the system.


Mitigating factors:

An attacker would need valid logon credentials to exploit the vulnerability. It could
not be exploited remotely.
Properly secured servers would be at little risk from this vulnerability. Standard
best practices recommend only allowing trusted administrators to log on to such systems
interactively; without such privileges, an attacker could not exploit the vulnerability.
Severity Rating: Windows 2000 Important
The above assessment is based on the types of systems affected by the vulnerability,
their typical deployment patterns, and the effect that exploiting the vulnerability would
have on them.

Vulnerability identifier: CAN-2003-0350

Tested Versions:
Microsoft tested Windows Me, Windows NT Server 4.0, Windows NT Server, Terminal Server
Edition, Windows 2000, Windows XP, and Windows Server 2003 to assess whether they are
affected by these vulnerabilities. Previous versions are no longer supported, and may
or may not be affected by these vulnerabilities.


 Frequently asked questions
What?s the scope of the vulnerability?

This is a privilege elevation vulnerability. An attacker who successfully exploited
this vulnerability could gain unwarranted privileges on a system. In this case, the
attacker could gain full administrative privileges, thereby gaining the ability to
take any action they want on the machine, such as adding, deleting, or modifying
data on the system, creating or deleting user accounts, and adding accounts to the
local administrators group. The vulnerability could only be exploited by an attacker
who had credentials to log on to the computer interactively. Best practices suggest
that unprivileged users not be allowed to interactively log on to business-critical
servers; if this guidance has been followed, such servers would not be at risk from
this vulnerability. Instead, the systems primarily at risk would be workstations and
terminal servers.

What causes the vulnerability?

The vulnerability results because it is possible for an unprivileged user to cause
code to be executed by a highly privileged process on the interactive desktop using
Utility Manager in combination with a specially crafted Windows message.

What are Accessibility utilities?

Microsoft recognizes its responsibility to develop technology that is accessible and
usable to everyone, including those with disabilities. Therefore all Microsoft products
are designed with functionality and utilities to assist in enabling those with
disabilities to use the features of the products. These utilities are known as
Accessibility utilities. Windows 2000 contains several utilities and technologies to
provide accessibility within the product. A detailed list of these utilities can be
found at:

http://www.microsoft.com/enable/products/windows2000/features.aspx

Where does Microsoft document the available Accessibility options in its products?

More information on accessibility options within Microsoft Products can be found at
the Microsoft Accessibility Web site at:

http://www.microsoft.com/enable/

What is the Utility Manager?

Utility Manager is an accessibility utility that allows users to check the status of
accessibility programs (Microsoft Magnifier, Narrator, On?Screen Keyboard) and to
start or stop them.

What do you mean by a "desktop"?

Normally, when we refer to a "desktop" we mean the Windows desktop created by Explorer
that you see on your screen during a Windows session. However, in the Windows security
architecture, the term "desktop" actually has a different meaning. Desktops are used to
encapsulate windows and related objects in Windows in order to ensure that a process is
properly restricted to only authorized activities. It's easier to explain what a desktop
is and how it works if we start with the layer of granularity above the desktop, the
windowsstation.

What's a windowstation?

A windowstation is a container that contains a clipboard, some global information, and a
set of one or more desktops. The interactive windowstation assigned to the logon session
of the interactive user also contains the keyboard, mouse, and display device. The
interactive windowstation is visible to the user and can receive input from the user.
All other windowstations are noninteractive, which means that they can?t be made visible
to the user and can?t receive user input. A process can be associated with only one
desktop at a time.

What's an interactive desktop?

A desktop is a container object that is contained within a window station. There may be
many desktops contained within a windowsstation.

A desktop has a logical display surface and contains windows, menus, and hooks. Only the
desktops of the interactive window station can be visible and receive user input. On the
interactive windowstation, only one desktop at a time is active. This active desktop,
also referred to as the interactive desktop or input desktop, is the one that is currently
visible to the user and that receives user input.

What are Windows messages?

Processes running on Windows interact with the system and other processes using messages.
For instance, each time the user hits a key on the keyboard, moves the mouse, or clicks a
control such as a scroll bar, Windows generates a message, the purpose of which is to alert
the program that a user event has occurred, and deliver the data from that event to the
program. Similarly, a program can generate messages as a way of allowing the various windows
it controls to communicate with and task each other.

What?s wrong with the way Windows messages are handled by the Windows 2000 Utility Manager?

The flaw actually lies in the way Utility Manager handles messages when presenting the list
of available accessibility functions to the user. Utility Manager does not properly validate
Windows messages sent to it. If Utility Manager is running on the system, it?s possible for
another process running on the system to send a specially crafted message to the Utility Manager
process in the interactive desktop. The first process could set the address of the callback
function, with the result being that the second process would execute the callback function
specified by the first.

Why does this pose a security vulnerability?

Essentially, the flaw in Utility Manager would provide a way for one process on the interactive
desktop to cause the Utility Manager to do its bidding. If the second process had higher privileges,
this would provide a way for the first to exercise them.

What might an attacker use the vulnerability to do?

An attacker who successfully exploited the vulnerability could first start Utility Manager, then
could create a process that would levy requests upon the Utility Manager once it was running. In
default configurations of Windows 2000, Utility Manager is installed but not running. Exploiting
the vulnerability in such a case would enable the attacker to gain complete control over the system.

Who could exploit the vulnerability?

To exploit the vulnerability, the attacker would need the ability to log on to the system,
start Utility Manager, load a program of his or her choice (one that sent a message to
Utility Manager and specified a callback function that would perform some desired task),
and run it.

What versions of the Utility Manager are vulnerable to this attack?

Only the Windows 2000 version of Utility Manager contains the vulnerability. Windows NT
Server 4.0, Windows XP, and Windows Server 2003 are not affected.

What systems are primarily at risk from the vulnerability?

In general, workstations and terminal servers would be mainly at risk. Servers would only
be at risk if unprivileged users had been given the ability to log on to them and run programs,
but best practices strongly discourage allowing this. Could the vulnerability be exploited from
the Internet? No. The attacker would need the ability to log on to the specific system he or
she wished to attack. There is no capability to load and run a program in the interactive
desktop remotely. What does the patch do? The patch addresses the vulnerability by changing
the handling of Windows messages by the Utility Manager so that messages are properly validated
and that an unregistered callback function cannot be called.

Patch availability
Download locations for this patch
Microsoft Windows 2000:
http://microsoft.com/downloads/details.aspx?FamilyId=D415A4AC-E13A-4E8A-BE25-85E7DF686F61&displaylang=en

 Additional information about this patch
Installation platforms:
The Windows 2000 patch can be installed on systems running Windows 2000 Service Pack 3. In addition,
the fix for this issue is included in Windows 2000 Service Pack 4.
Inclusion in future service packs:
The fix for this issue is included in Windows 2000 Service Pack 4.

Reboot needed: Yes

Patch can be uninstalled: Yes

Superseded patches: None.

Verifying patch installation:

Windows 2000:
To verify that the patch has been installed on the machine, confirm that the following
registry key has been created on the machine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q822679

To verify the individual files, use the date/time and version information provided in
the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q822679\Filelist

Caveats:
None

Localization:
Localized versions of this patch are available at the locations discussed in
?Patch Availability?.

Obtaining other security patches:
Patches for other security issues are available from the following locations:

Security patches are available from the Microsoft Download Center, and can be most easily
found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web site
Other information:
Acknowledgments
Microsoft thanks  Chris Paget of Next Generation Security Software Ltd. for reporting this
issue to us and working with us to protect customers.

Support:

Microsoft Knowledge Base article 822679 discusses this issue and will be available
approximately 24 hours after the release of this bulletin. Knowledge Base articles can be
found on the Microsoft Online Support web site.
Technical support is available from Microsoft Product Support Services. There is no charge
for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information
about security in Microsoft products.

Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without
warranty of any kind. Microsoft disclaims all warranties, either express or implied,
including the warranties of merchantability and fitness for a particular purpose.
In no event shall Microsoft Corporation or its suppliers be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss of business
profits or special damages, even if Microsoft Corporation or its suppliers have been
advised of the possibility of such damages. Some states do not allow the exclusion
or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply.

Revisions:

V1.0 (July 9, 2003): Bulletin Created.

Reprinted with permission of Microsoft Corporation.
- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by
telephone or Not Protectively Marked information may be sent via EMail to:
uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Microsoft for the information
contained in this Briefing.
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some
of the information may have changed since it was released. If the vulnerability
affects you, it may be prudent to retrieve the advisory from the canonical site
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views
and opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they shall
not be liable for any loss or damage whatsoever, arising from or in connection
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBPw1ZT4pao72zK539AQGWBQP+P7eMkNnWfj9L6cvDS95nMIwNiVEbSVo2
3Yf4DACy8WAHJ7VK8xHJQp9R77hfOwII/zT6UhHDvq7peTK+jmN1Y4h/Q4tTcOzN
Dup3S+bNOKfLjOnAnVzJH8tZ1/S3yl2M4hK3xiU044ZVmANi/WWmR7DBbYhVg1/u
M7oUnWiuJA4=
=iqZC
-----END PGP SIGNATURE-----