[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 410/03 - Microsoft - Buffer Overrun In RPC Interface Could Allow Code Execution, Unchecked Buffer in Windows Shell Could Enable System Compromise + Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting Attack



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 410/03 dated 17.07.03  Time: 09:25
 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Three Microsoft Security Bulletins:

1: Buffer Overrun In RPC Interface Could Allow Code Execution

2: Unchecked Buffer in Windows Shell Could Enable System Compromise

3: Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting Attack

Detail
====== 

1: Buffer Overrun In RPC Interface Could Allow Code Execution

- -----BEGIN PGP SIGNED MESSAGE-----

- - - ---------------------------------------------------------------
Title:      Buffer Overrun In RPC Interface Could Allow Code 
            Execution (823980)

Date:       16 July 2003
Software:   Microsoft(r) Windows (r) NT 4.0
            Microsoft Windows NT 4.0 Terminal Services Edition 
            Microsoft Windows 2000 
            Microsoft Windows XP 
            Microsoft Windows Server 2003 
Impact:     Run code of attacker's choice
Max Risk:   Critical
Bulletin:   MS03-026

Microsoft encourages customers to review the Security Bulletins 
at: 
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
http://www.microsoft.com/security/security_bulletins/MS03-026.asp
- - - ---------------------------------------------------------------

Issue:
======

Remote Procedure Call (RPC) is a protocol used by the Windows 
operating system. RPC provides an inter-process communication 
mechanism that allows a program running on one computer to 
seamlessly execute code on a remote system. The protocol itself 
is derived from the OSF (Open Software Foundation) RPC protocol, 
but with the addition of some Microsoft specific extensions. 

There is a vulnerability in the part of RPC that deals with 
message exchange over TCP/IP. The failure results because of 
incorrect handling of malformed messages. This particular 
vulnerability affects a Distributed Component Object Model (DCOM) 
interface with RPC, which listens on TCP/IP port 135. This 
interface handles DCOM object activation requests sent by client 
machines (such as Universal Naming Convention (UNC) paths) to the 
server. 

To exploit this vulnerability, an attacker would need to send a 
specially formed request to the remote computer on port 135. 


Mitigating factors: 
====================

 - To exploit this vulnerability, the attacker would require the 
ability to send a specially crafted request to port 135 on the 
remote machine. For intranet environments, this port would 
normally be accessible, but for Internet connected machines, the 
port 135 would normally be blocked by a firewall. In the case 
where this port is not blocked, or in an intranet configuration, 
the attacker would not require any additional privileges. 

 - Best practices recommend blocking all TCP/IP ports that are 
not actually being used. For this reason, most machines attached 
to the Internet should have port 135 blocked. RPC over TCP is not 
intended to be used in hostile environments such as the internet. 
More robust protocols such as RPC over HTTP are provided for 
hostile environments.

Risk Rating:
============
Critical

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read 
the  Security Bulletins at
   
http://www.microsoft.com/technet/security/bulletin/ms03-026.asp
http://www.microsoft.com/security/security_bulletins/ms03-026.asp
   
   for information on obtaining this patch.


- - - ---------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT 
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING 
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS 
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, 
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL 
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN 
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT 
ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL 
OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPxSXX40ZSRQxA/UrAQE6PwgAp5nlZkLDJPNc8QNb5AajGy3R2SpaRhw2
WxonBgaiNU2sJscIQwObdjH1NHHq5Jw3ptFja/LbI/LOUZkQi6dOqPQjsyfthQzC
vUvGw5Fr0x3Pe1OJcsSmH6pl5XBOSSCVXRb4grHUZaMABymZkTzvz0rKonhpWDjv
OGnP9CisSxEBXMTnCIsqP6T1eoENxriICB3pR5ZuKqSgd+Q/J7DV1aTLwYCIaxwR
4a+d/xufAQyDW5WEdKvHlfoyw/ZKDIqIsUsueX5HX+PTBa5VRcaLYKk7GbDnStyB
3+aktUF1z5C9LqG5zDcFGXWOPEmERTWKUZ06YBIieNbZwV75pjxEmQ==
=KrV/
- -----END PGP SIGNATURE-----

2: Unchecked Buffer in Windows Shell Could Enable System Compromise

- -----BEGIN PGP SIGNED MESSAGE-----

- - - ---------------------------------------------------------------
Title:      Unchecked Buffer in Windows Shell Could Enable System 
            Compromise (821557)
Date:       16 July 2003
Software:   Microsoft(r) Windows (r) XP 
Impact:     Run code of attacker's choice
Max Risk:   Important
Bulletin:   MS03-027

Microsoft encourages customers to review the Security Bulletins 
at: 
http://www.microsoft.com/technet/security/bulletin/MS03-027.asp
http://www.microsoft.com/security/security_bulletins/MS03-027.asp
- - - ---------------------------------------------------------------

Issue:
======

The Windows shell is responsible for providing the basic 
framework of the Windows user interface experience. It is most 
familiar to users as the Windows desktop. It also provides a 
variety of other functions to help define the user's computing 
session, including organizing files and folders, and providing 
the means to start programs. 

An unchecked buffer exists in one of the functions used by the 
Windows shell to extract custom attribute information from 
certain folders. A security vulnerability results because it is 
possible for a malicious user to construct an attack that could 
exploit this flaw and execute code on the user's system. 

An attacker could seek to exploit this vulnerability by creating 
a Desktop.ini file that contains a corrupt custom attribute, and 
then host it on a network share. If a user were to browse the 
shared folder where the file was stored, the vulnerability could 
then be exploited. A successful attack could have the effect of 
either causing the Windows shell to fail, or causing an 
attacker's code to run on the user's computer in the security 
context of the user. 

Mitigating factors: 
====================

 - In the case where an attacker's code was executed, the code 
would run in the security context of the user. As a result, any 
limitations on the user's ability would also restrict the actions 
that an attacker's code could take. 

 - An attacker could only seek to exploit this vulnerability by 
hosting a malicious file on a share. 

 - This vulnerability only affects Windows XP Service Pack 1. 
Users running Windows XP Gold are not affected. 

Risk Rating:
============
Important

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read 
the  Security Bulletins at
   
http://www.microsoft.com/technet/security/bulletin/ms03-027.asp
http://www.microsoft.com/security/security_bulletins/ms03-027.asp
   
   for information on obtaining this patch.


- - - ---------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT 
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING 
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS 
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, 
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL 
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN 
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT 
ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL 
OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPxSk+Y0ZSRQxA/UrAQFfOQgAkkCMAzGtqzcgOEyOG95ucuotlSYbHrYY
7fIhOmZySzRJpqid36aW1lcpNKEGFsra8CSz+7oNnECrsu8B4/F9ZgDxj6X6mE/+
Ya3Y6bx4o40fvd6Wa9EzGrCr87j3z5ugr3yNpEo0vBmlIOVA+rjcHpltZeC+oCBJ
fsvma8dt/ChVlMCk+mbcTn5DmCRP2pKeoB3C5DiWM7MxrdASwG7FoKN9Ql0wBTab
P8EHq3qcdTxz4zHI6xVJfbPrTojNoq0oH05tiETp29k47xI1/8Bboc/azeISoCjc
BMVIeZyvYgxSS2Zte7XF9tNg4MgUxkY4UIJLcMcY1jH5G+2cyDa43A==
=+K+K
- -----END PGP SIGNATURE-----

3: Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting Attack

- -----BEGIN PGP SIGNED MESSAGE-----

- - - ---------------------------------------------------------------
Title:      Flaw in ISA Server Error Pages Could Allow Cross-Site 
            Scripting Attack (816456)
Date:       16 July 2003
Software:   Microsoft(r) ISA Server        
Max Risk:   Important
Bulletin:   MS03-028

Microsoft encourages customers to review the Security Bulletins 	
at: 
http://www.microsoft.com/technet/security/bulletin/MS03-028.asp
http://www.microsoft.com/security/security_bulletins/ms03-028.asp
- - - ---------------------------------------------------------------

Issue:
======

ISA Server contains a number of HTML-based error pages that allow 
the server to respond to a client requesting a Web resource with 
a customized error. A cross-site scripting vulnerability exists 
in many of these error pages that are returned by ISA Server 
under specific error conditions.

To exploit this flaw, an attacker would have to first be aware of 
a specific ISA server and its access policies or host an ISA 
server of their own and create specific access policies designed 
to exploit this vulnerability. The attacker could then craft a 
request to trigger a page refusal. Once the attack was crafted, 
the attacker would have to host a Web site containing the link, 
or send the link to the user in the form of an HTML e-mail. After 
the user previewed or opened the e-mail, the malicious site could 
be visited automatically without further user interaction. In the 
Web-based attack scenario, an attacker would have no way to force 
a user to visit the Web site. 

Mitigating factors: 
====================

 - The vulnerability could only be exploited if the attacker 
could entice another user into visiting a Web page and clicking a 
link on it, or opening an HTML-based e-mail.
 
 - The request must be one that would cause the ISA server to 
respond with one of several affected error pages. 

 - The vulnerability would not normally enable an attacker to 
gain any privileges on an affected ISA Server computer, breach 
the firewall, or compromise any cached content, unless the user 
is operating on the ISA server itself and is using the Web Proxy 
service to access the Internet. 

Risk Rating:
============
Important

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read 
the  Security Bulletins at
   
http://www.microsoft.com/technet/security/bulletin/ms03-028.asp
http://www.microsoft.com/security/security_bulletins/ms03-028.asp
   
   for information on obtaining this patch.


- - - ---------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT 
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING 
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS 
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, 
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL 
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN 
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT 
ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL 
OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPxSXqo0ZSRQxA/UrAQG5Vgf/a1jJ6VjZr9jPU+5V6Ku1KwFdKtb0yxzj
VY0f/ol6ooJCT8POwD71QRcNeuOug1veF1ZvDSjT6Q0E51KbV63P5/9Wnjvx+tyi
bIN6CMeLfxDwyHYI7V/PdCHp0TEQ8viOd4o2KVYBvvULz/BiQfEhqpfz8ifVCP4+
5t0ocoo0mdWE6oy9UDcFSZ4YEkFBozgHjAGUlyXqUz1xurgeS/vND65IUi5raS7R
LJ5Wl8KzgSKLc/dXor4DDdNVyue9b94FfcrbUETpEWAk6rP8acH8vFLfQHcDuFku
RR9exHREliszSt9sGTzyMIFJxq+4MZzmgEqzk/YJP+P+NakxzcZLjw==
=zf03
- -----END PGP SIGNATURE-----

Reprinted with permission of Microsoft Corporation.
- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via EMail to:
uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Microsoft for the information
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBPxZccYpao72zK539AQGmZQP+MFtJIREqONuk1EyKm87Hbsq45w90H/ls
/rU/WjMkKMLQjmkz73bTle4pDdj7l9gApcjL9kfYL9u/PI4V6KuOV7jfjjVScSOr
hV6HerQhcWm5J7Z91d/2I8ZGUnN3hVF5f1LPDv3hDdIsEQEID8ZKdOwY8gztKhIu
HEnEYuzmVkU=
=J6mo
-----END PGP SIGNATURE-----