exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

CA-2003-28.MS.txt

CA-2003-28.MS.txt
Posted Nov 14, 2003
Site cert.org

CERT Advisory CA-2003-28 - A specially crafted network message can trigger a buffer overflow in Microsoft's Workstation server. The vulnerability is caused by a flaw in the network management functions of the DCE/RPC service and a logging function implemented in Workstation Service (WKSSVC.DLL). Various RPC functions will permit the passing of long strings to the vsprintf() routine that is used to create log entries. The vsprintf() routine contains no bounds checking for parameters thus creating a buffer overflow situation.

tags | advisory, overflow
SHA-256 | 979392a63ca9d86583ec3f6402dafeb1c0ea7237bc2af925d5f46a51e7c89a47

CA-2003-28.MS.txt

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2003-28 Buffer Overflow in Windows Workstation Service

Original release date: November 11, 2003
Last revised: --
Source: CERT/CC

A complete revision history is at the end of this file.

Systems Affected

* Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service
Pack 4
* Microsoft Windows XP
* Microsoft Windows XP Service Pack 1
* Microsoft Windows XP 64-Bit Edition

Overview

A buffer overflow vulnerability exists in Microsoft's Windows
Workstation Service (WKSSVC.DLL).

A remote attacker could exploit this vulnerability to execute
arbitrary code or cause a denial of service.

I. Description

Microsoft's Security Bulletin MS03-049
<http://www.microsoft.com/technet/security/bulletin/MS03-049.asp>
discusses a buffer overflow in Microsoft's Workstation Service that
can be exploited via a specially crafted network message.

According to the eEye Digital Security Advisory AD20031111, the
vulnerability is caused by a flaw in the network management functions
of the DCE/RPC service and a logging function implemented in
Workstation Service (WKSSVC.DLL). Various RPC functions will permit
the passing of long strings to the vsprintf() routine that is used to
create log entries. The vsprintf() routine contains no bounds checking
for parameters thus creating a buffer overflow situation.

The CERT/CC is tracking this issue as VU#567620. This reference number
corresponds to CVE candidate CAN-2003-0812.

II. Impact

A remote attacker could exploit this vulnerability to execute
arbitrary code with system-level privileges or to cause a denial of
service. The exploit vector and impact for this vulnerability are
conducive to automated attacks such as worms.

III. Solution

Apply a patch from your vendor

Apply the appropriate patch as specified in Microsoft Security
Bulletin MS03-049.

Appendix A contains additional information provided by vendors for
this advisory. As vendors report new information to the CERT/CC, we
will update this section and note the changes in our revision history.
If a particular vendor is not listed below or in the individual
vulnerability notes, we have not received their comments. Please
contact your vendor directly.

Restrict access

You may wish to block access from outside your network perimeter,
specifically by blocking access to TCP & UDP ports 138, 139, and 445.
This will limit your exposure to attacks. However, blocking at the
network perimeter would still allow attackers within the perimeter of
your network to exploit the vulnerability. It is important to
understand your network's configuration and service requirements
before deciding what changes are appropriate.

Disable the Workstation Service

Depending on site requirements, you may wish to disable the
Workstation Service as described in MS03-049. Disabling the
Workstation Service will help protect against this vulnerability, but
may also cause undesirable side effects. According to the Microsoft's
Security Bulletin, the impacts of disabling the Workstation Service
are as follows:

"If the Workstation service is disabled, the system cannot connect
to any shared file resources or shared print resources on a
network. Only use this workaround on stand-alone systems (such as
many home systems) that do not connect to a network. If the
Workstation service is disabled, any services that explicitly
depend on the Workstation service do not start, and an error
message is logged in the system event log. The following services
depend on the Workstation service:
* Alerter
* Browser
* Messenger
* Net Logon
* RPC Locator

These services are required to access resources on a network and to
perform domain authentication. Internet connectivity and browsing
for stand-alone systems, such as users on dial-up connections, on
DSL connections, or on cable modem connections, should not be
affected if these services are disabled.

Note: The Microsoft Baseline Security Analyzer will not function if
the Workstation service is disabled. It is possible that other
applications may also require the Workstation service. If an
application requires the Workstation service, simply re-enable the
service. This can be performed by changing the Startup Type for the
Workstation service back to Automatic and restarting the system."

Appendix A. - Vendor Information

This appendix contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history. If a
particular vendor is not listed below or in the individual
vulnerability notes, we have not received their comments.

Microsoft Corporation

Microsoft has released MS03-049.
_________________________________________________________________

This vulnerability was discoved by eEye Digital Security and reported
in Microsoft Security Bulletin MS03-049.
_________________________________________________________________

Author: Jason A Rafail.
______________________________________________________________________

This document is available from:
http://www.cert.org/advisories/CA-2003-28.html
______________________________________________________________________

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more
information.

Getting security information

CERT publications and other security information are available from
our web site
http://www.cert.org/

To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your
message

subscribe cert-advisory

* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
______________________________________________________________________

Conditions for use, disclaimers, and sponsorship information

Copyright 2003 Carnegie Mellon University.

Revision History
Nov 11, 2003: Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBP7F0nJZ2NNT/dVAVAQG7/wQAmaU+HCKRv46mZx8QJv2GetcS+2F9oJeZ
V5Yb6vZc+e/PldD3eVLNPLsAlSX2eKE8ecjaY429vuzoaELQXk/9fnpI3EwhduwQ
kmcUQ5zZ56yFo0tA+Ym6ksaGi/tMSUlPwZuvV/B/iS9vMXN7hcZr9eYmNey/vJuj
R2c4QCey+R8=
=/wxG
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close