[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 418/03 - Microsoft - Flaw in Windows Function Could Allow Denial of Service, Unchecked Buffer in DirectX Could Enable System Compromise + Cumulative Patch for Microsoft SQL Server



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 418/03 dated 24.07.03  Time: 09:48
 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Three Microsoft Security Bulletins:

1: Flaw in Windows Function Could Allow Denial of Service - MS03-029

2: Unchecked Buffer in DirectX Could Enable System Compromise - MS03-030

3: Cumulative Patch for Microsoft SQL Server - MS03-031

Detail
====== 

1: Flaw in Windows Function Could Allow Denial of Service - MS03-029

- -----BEGIN PGP SIGNED MESSAGE-----

- - ----------------------------------------------------------------------
Title:      Flaw in Windows Function Could Allow Denial of Service 
            (823803)
Date:       23 July 2003
Software:   Microsoft Windows NT 4.0 Server
Impact:     Denial of service
Max Risk:   Moderate
Bulletin:   MS03-029

Microsoft encourages customers to review the Security Bulletins at: 
http://www.microsoft.com/technet/security/bulletin/MS03-029.asp
http://www.microsoft.com/security/security_bulletins/ms03-029.asp
- - ----------------------------------------------------------------------

Issue:
======
A flaw exists in a Windows NT 4.0 Server file management function 
that can cause a denial of service vulnerability. The flaw results 
because the affected function can cause memory that it does not own 
to be freed when a specially crafted request is passed to it. If 
the application making the request to the function does not carry 
out any user input validation and allows the specially crafted 
request to be passed to the function, the function may free memory 
that it does not own. As a result, the application passing the 
request could fail. 

By default, the affected function is not accessible remotely, 
however applications installed on the operating system that are 
available remotely may make use of the affected function. 
Application servers or Web servers are two such applications that 
may access the function. Note that Internet Information Server 4.0 
(IIS 4.0) does not, by default, make use of the affected function.

Mitigating Factors:
====================
- - -The default installation of Windows NT 4.0 Server is not 
vulnerable to a remote denial of service. Additional software that 
makes use of the affected file management function must be 
installed on the system to expose the vulnerability remotely. 
- - -If the application calling the affected file management function 
carries out input validation, the specially crafted request may not 
be passed to the vulnerable function. 
- - -The vulnerability cannot be used to cause Windows NT 4.0 Server 
itself to fail. Only the application that makes the request may 
fail.

Risk Rating:
============
 -Moderate 

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletins at
   http://www.microsoft.com/technet/security/bulletin/ms03-029.asp
   http://www.microsoft.com/security/security_bulletins/ms03-029.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - Matt Miller and Jeremy Rauch of @stake, http://www.atstake.com

- - ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS 
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE 
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, 
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF 
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION 
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES 
SO THE FOREGOING LIMITATION MAY NOT APPLY.

- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPx3d1Y0ZSRQxA/UrAQEbYwf/Z9906V/XwCHzRaqubU7b53GlGkI2rT7G
itmiuwmsN/49PyQT5nw7AY8ycXaeHaHNWRXQ9BEL82hyEdPTgCutkz9dq1/4A/OD
oyOel0hUJglKWD7bRwmOYpcNYniswWErm5LiTCYJ+8AVSuLwQuklCjo0a7UpCkyW
ZVAzLc39SwZYIIEfz4JsbZTKtG7x7ZIKkt/EeZpk2BNLRZiSEww3EFKmhsOKm2KJ
6hcephJ2ptnXUoxpjzuvHdjm20Jeriw82fkWayqhZgYpATTagdhz1gmZscuws6Cg
efsFXSISCP7UUhYsjOaf8yjsWDu1m5m9HaMwYKorm6IVQ/wuEssUCg==
=2SLA
- -----END PGP SIGNATURE-----

2: Unchecked Buffer in DirectX Could Enable System Compromise - MS03-030

- -----BEGIN PGP SIGNED MESSAGE-----

- - ----------------------------------------------------------------------
Title:      Unchecked Buffer in DirectX Could Enable System 
            Compromise (819696)
Date:       July 23, 2003
Software:   Microsoft DirectX(r) 5.2 on Windows 98 
            Microsoft DirectX 6.1 on Windows 98 SE 
            Microsoft DirectX 7.0a on Windows Millennium Edition 
            Microsoft DirectX 7.0 on Windows 2000 
            Microsoft DirectX 8.1 on Windows XP 
            Microsoft DirectX 8.1 on Windows Server 2003 
            Microsoft DirectX 9.0a when installed on Windows 98 
            Microsoft DirectX 9.0a when installed on Windows 98 SE 
            Microsoft DirectX 9.0a when installed on Windows
            Millennium Edition 
            Microsoft DirectX 9.0a when installed on Windows 2000 
            Microsoft DirectX 9.0a when installed on Windows XP 
            Microsoft DirectX(r) 9.0a when installed on Windows 
            Server 2003 
            Microsoft Windows NT 4.0 Server with either Windows
            Media Player 6.4 or Internet Explorer 6 Service Pack 1 
            installed. 
            Microsoft Windows NT 4.0, Terminal Server Edition with 
            either Windows Media Player 6.4 or Internet Explorer 6 
            Service Pack 1 installed.

Impact:     Allow an attacker to execute code on a user's system 
Max Risk:   Critical
Bulletin:   MS03-030

Microsoft encourages customers to review the Security Bulletins at: 
http://www.microsoft.com/technet/security/bulletin/MS03-030.asp
http://www.microsoft.com/security/security_bulletins/ms03-030.asp
- - ----------------------------------------------------------------------

Issue:
======
DirectX consists of a set of low-level Application Programming 
Interfaces (APIs) that are used by Windows programs for multimedia 
support. Within DirectX, the DirectShow technology performs client-
side audio and video sourcing, manipulation, and rendering. 

There are two buffer overruns with identical effects in the 
function used by DirectShow to check parameters in a Musical 
Instrument Digital Interface (MIDI) file. A security vulnerability 
results because it would be possible for a malicious user to 
attempt to exploit these flaws and execute code in the security 
context of the logged-on user. 

An attacker could seek to exploit this vulnerability by creating a 
specially crafted MIDI file designed to exploit this vulnerability 
and then host it on a Web site or on a network share, or send it by 
using an HTML-based e-mail. In the case where the file was hosted 
on a Web site or network share, the user would need to open the 
specially crafted file. If the file was embedded in a page the 
vulnerability could be exploited when a user visited the Web page. 
In the HTML-based e-mail case, the vulnerability could be exploited 
when a user opened or previewed the HTML-based e-mail. A successful 
attack could cause DirectShow, or an application making use of 
DirectShow, to fail. A successful attack could also cause an 
attacker's code to run on the user's computer in the security 
context of the user. 

Mitigating Factors:
====================
- - - By default, Internet Explorer on Windows Server 2003 runs in 
Enhanced Security Configuration. This default configuration of 
Internet Explorer blocks the e-mail-based vector of this attack 
because Microsoft Outlook Express running on Windows Server 2003 by 
default reads e-mail in plain text. If Internet Explorer Enhanced 
Security Configuration were disabled, the protections put in place 
that prevent this vulnerability from being exploited would be 
removed.
- - - In the Web-based attack scenario, the attacker would have to host 
a Web site that contained a Web page used to exploit these 
vulnerabilities. An attacker would have no way to force users to 
visit a malicious Web site outside the HTML-based e-mail vector. 
Instead, the attacker would need to lure them there, typically by 
getting them to click a link that would take them to the attacker's 
site. 
- - -The combination of the above means that on Windows Server 2003 an 
administrator browsing only to trusted sites should be safe from 
this vulnerability.
- - - Code executed on the system would only run under the privileges 
of the logged-on user.

Risk Rating:
============
 - Critical

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletins at
   http://www.microsoft.com/technet/security/bulletin/ms03-030.asp
   http://www.microsoft.com/security/security_bulletins/ms03-030.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - eEye Digital Security, http://www.eeye.com


- - ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS 
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE 
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, 
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF 
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION 
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES 
SO THE FOREGOING LIMITATION MAY NOT APPLY.

- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPx75EI0ZSRQxA/UrAQELXwf/fJf95Yl2hgMrUOdIQxzi6BCNnOnx4R75
pWHnsQUP8mYlzR6zytgytwM5eiZohoiGSZ3r6Y/k6pJEpaQ8xYnb3UqVxXN/R2nE
SMDy60o4Lk/ZSBOW15JWKwS+kQLaYUTA5e/bHUDGiHcbvFLC1+V4hnv3Uj75yqIo
2EUwPYHaG54eGFGr3EdaZtPfC3iyXRiFPGO5DXWE7GfyzX347lzZKyNndzDMAyjY
PQR5tM3bXYILaNwkOl3/o42BjWQ8yQtDhCA9zPO0quev2+NjfXmYc+BJuhx8Lh/1
lbTy1e43MHpMgZdMWJBsOPMpTrYWagAEn6KYXxplZQze3OKh7BnhUA==
=WABJ
- -----END PGP SIGNATURE-----

3: Cumulative Patch for Microsoft SQL Server - MS03-031

- -----BEGIN PGP SIGNED MESSAGE-----

- - -----------------------------------------------------------------
Title:      Cumulative Patch for Microsoft SQL Server (815495)

Date:       23 July 2003
Software:   
 - Microsoft SQL Server 7.0
 - Microsoft Data Engine (MSDE) 1.0
 - Microsoft SQL Server 2000
 - Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) 
 - Microsoft SQL Server 2000 Desktop Engine (Windows)

Impact:     Run code of attacker's choice
Max Risk:   Important
Bulletin:   MS03-031

Microsoft encourages customers to review the Security Bulletins at: 
http://www.microsoft.com/technet/security/bulletin/MS03-031.asp
http://www.microsoft.com/security/security_bulletins/ms03-031.asp
- - -----------------------------------------------------------------

Issue:
======
This is a cumulative patch that includes the functionality of all
previously released patches for SQL Server 7.0, SQL Server 2000, MSDE
1.0, and MSDE 2000. In addition, it eliminates three newly discovered
vulnerabilities. 

 - Named Pipe Hijacking - 
Upon system startup, SQL Server creates and listens on a specific
named pipe for incoming connections to the server. A named pipe is a
specifically named one-way or two-way channel for communication
between a pipe server and one or more pipe clients. The named pipe is
checked for verification of which connection attempts can log on to
the system running SQL Server to execute queries against data that is
stored on the server.

A flaw exists in the checking method for the named pipe that could
allow an attacker local to the system running SQL Server to hijack
(gain control of) the named pipe during another client's
authenticated logon password. This would allow the attacker to gain
control of the named pipe at the same permission level as the user
who is attempting to connect. If the user who is attempting to
connect remotely has a higher level of permissions than the attacker,
the attacker will assume those rights when the named pipe is
compromised.

 - Named Pipe Denial of Service - 
In the same named pipes scenario that is mentioned in the "Named Pipe
Hijacking" section of this bulletin, it is possible for an
unauthenticated user who is local to the intranet to send a very
large packet to a specific named pipe on which the system running SQL
Server is listening and cause it to become unresponsive.
 
This vulnerability would not allow an attacker to run arbitrary code
or elevate their permissions, but it may still be possible for a
denial of service condition to exist that would require that the
server be restarted to restore functionality.

 - SQL Server Buffer Overrun - 
A flaw exists in a specific Windows function that may allow an
authenticated user-with direct access to log on to the system running
SQL Server-the ability create a specially crafted packet that, when
sent to the listening local procedure call (LPC) port of the system,
could cause a buffer overrun. 
If successfully exploited, this could allow a user with limited
permissions on the system to elevate their permissions to the level
of the SQL Server service account, or cause arbitrary code to run.

Mitigating Factors:
====================
Named Pipe Hijacking:
 - To exploit this flaw, the attacker would need to be an
   authenticated user local to the system.
 - This vulnerability provides no way for an attacker to remotely
   usurp control over the named pipe.

Named Pipe Denial of Service:
 - Although it is unnecessary that the attacker be authenticated,
   to exploit this flaw the attacker would require access to the 
   local intranet. 
 - Restarting the SQL Server Service will reinstate normal
   operations
 - This flaw provides no method by which an attacker can gain 
   access to the system or information contained in the database. 

SQL Server Buffer Overrun:
 - To exploit this flaw, the attacker would need to be an
   authenticated user local to the system.
 - This vulnerability cannot be remotely exploited.

Risk Rating:
============
 - Important

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the
Security Bulletins at
   http://www.microsoft.com/technet/security/bulletin/ms03-031.asp
   http://www.microsoft.com/security/security_bulletins/ms03-031.asp

   for information on obtaining this patch.

Acknowledgment:
===============
 - Andreas Junestam www.@xxxxxxxxx

- - -----------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.

- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPx4VXo0ZSRQxA/UrAQHu1wf9G26FlGldouwnEiqGzxCdd7kgtaMZ0Tgy
FDF5gsWpZW4klHjBVz4yUm20ukJsOp5+b1kcLATcJyTwv5Cd4F2JPRXBKTcS6mZO
DQlYxd6ylA+td9TXLJWlgU6Ffji5ENdx7LUv5DchkuOMH/wyCpwVFlfZom2d6kte
apHQiRh8RPrIOoIRcp7cj+20IhBNL7fxhHUh1otLlR0mZUT56rD4e99XnytStCN3
NEzPZoXQMN5uhIkbgYK3JwmyjBR8gjL+Dks5zuzZ9AQ4laHmPubk1grYBn/BjxwY
NjzKIaJ6IOmER/kTMFwdVLUpCzsAK6xD6GJLkVbJRJvQTQF1M2d6Aw==
=NL9z
- -----END PGP SIGNATURE-----
 
Reprinted with permission of Microsoft Corporation.
- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via EMail to:
uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Microsoft for the information
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBPx+hb4pao72zK539AQFbrwP7B/1XUoMlo64Sr3oFBaPMMHFW72sNdUPg
GCkZaSdZiOr2bflf+nDRdTCSX5vohvXLwSn28UxO2m9cKcmfYJnWUlL6ECwQ1p9z
9hu7C1L6wTF2e+OY9O8AR61pKf1N4XXiwVFr1iGUJRLsoM/03+XD97W44cnKIDwy
ZFr1w0LspwU=
=waqX
-----END PGP SIGNATURE-----