Internet Security Systems Security Alert
August 29, 2002

Microsoft Windows SMB Denial of Service Vulnerability

Synopsis:

A vulnerability has been reported in the Windows file and resource sharing
mechanism. The SMB (Server Message Block) protocol handles the sharing of
files and devices in Windows environments. A flaw in the implementation
of SMB may allow remote attackers to launch DoS (Denial of Service) attacks
against vulnerable systems.

Impact:

A remote attacker can cause a vulnerable system to crash by sending a
specially crafted SMB packet to an open NetBIOS port (TCP port 139).
These ports are typically filtered on outward facing Internet servers.
This vulnerability poses a significant DoS risk to unprotected home or
small/medium size business servers, or any servers not protected by basic
protection systems. An exploit tool for this vulnerability has been
released and is actively circulating in the computer underground. ISS
has detected increased scanning activity for this SMB vulnerability across
the Internet.

Affected Versions:

Microsoft Windows NT 4.0 Workstation
Microsoft Windows NT 4.0 Server
Microsoft Windows NT 4.0 Server, Terminal Server Edition
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Windows XP Professional

Description:

All affected versions of the Windows operating system are configured with the
vulnerable service enabled by default. SMB is a core component of Windows
networking technology. SMB clients and servers that share and provide network
resources such as files, printing sharing, or port sharing use the SMB
protocol to communicate.

A flaw in the Windows SMB implementation may allow attackers to craft special
packets to trigger a heap overflow. This overflow will allow the attack to
write data onto the heap, which triggers the DoS. X-Force has examined the
vulnerability in detail and believes that at this time, it is not possible to
control the data that is written onto the heap, therefore it is not possible
to execute arbitrary code by way of this vulnerability.

Recommendations:

X-Force recommends that all SMB traffic be filtered at the perimeter to block
this attack, and similiar attacks that involve incorrectly configured SMB
file shares. Windows XP users are encouraged to configure their Internet
Connection Firewall (ICF) to block SMB connections. This recommendation is
particularly significant for home users with "always-on" broadband
connections.

A workaround for this issue exists that may block the DoS attack from
unauthenticated, anonymous users. The local security policy for Windows NT,
2000, and XP allow anonymous connections, or "null sessions". If null
sessions  are disallowed, anonymous users cannot successfully exploit the
vulnerability. However, authenticated users can still execute the DoS
attack. To disable null sessions:

On Windows XP, open the Local Security Policy and enable the following
security options:
"Network Access: Do not allow anonymous enumeration of SAM accounts"
"Network access: Do not allow anonymous enumeration of SAM accounts
and shares"

On Windows 2000, enable:
"Additional restrictions for anonymous connections"

On Windows NT 4.0 SP3 and later, locate "restrictanonymous" in the following
key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

"restrictanonymous" should be set to 1 to disable null sessions.

RealSecure 7.0 customers can configure a user-defined event to detect exploit
attempts.

alert tcp any any -> any 139 (msg: "DoS SMB";flags: A+;
content:"|504950455c4c414e4d414e00|";)

For more information on RealSecure 7.0 TRONS events, search for "trons" in
the ISS Knowledgebase: http://www.iss.net/support/knowledgebase/.

ISS X-Force will provide detection and assessment support for this
vulnerability in upcoming X-Press Updates for RealSecure Network Sensor and
Internet Scanner. RealSecure Network Sensor 6.5 and 7.0 can detect this
attack, as well as all SMB null session connection attempts with the
"Windows_Null_Session" event. Internet Scanner can currently assess if
systems are vulnerable to null session connections with the "NetBIOS shares
- null session" check. System Scanner can detect if null sessions are enabled
with the "reg-share-04" check.

Microsoft has released security patches for all affected versions. Please
refer to the Microsoft Security Bulletin referenced in the Additional
Information section.

Additional Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CAN-2002-0724 to this issue. This is a candidate for inclusion in the CVE
list (http://cve.mitre.org), which standardizes names for security problems.

Microsoft Security Bulletin MS02-45
http://www.microsoft.com/technet/security/bulletin/MS02-045.asp

Core Security Technologies Advisory
http://www.corest.com/common/showdoc.php?idx=262&idxseccion=10

X-Force Database
http://www.iss.net/security_center/static/9933.php

Microsoft Windows Internet Connection Firewall overview
http://www.microsoft.com/technet/prodtechnol/winxppro/proddocs/hnw_understanding_firewall.a
sp