exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ms03-049

ms03-049
Posted Nov 14, 2003
Site microsoft.com

Microsoft Security Bulletin MS03-049 - A security vulnerability exists in the Workstation service that could allow remote code execution on an affected system. This vulnerability results because of an unchecked buffer in the Workstation service. If exploited, an attacker could gain System privileges on an affected system, or could cause the Workstation service to fail. An attacker could take any action on the system, including installing programs, viewing data, changing data, or deleting data, or creating new accounts with full privileges.

tags | advisory, remote, code execution
SHA-256 | 2ebf3e9a6635c0389c71cb5892f6c16f50e7ee7d9b2ac16950fd17ef4028aea8

ms03-049

Change Mirror Download



Microsoft Security Bulletin MS03-049

Print Print

Buffer Overrun in the Workstation Service Could Allow Code Execution
(828749)

Issued: November 11, 2003
Version Number: 1.0

See all Windows bulletins released November, 2003

Summary

Who Should Read This Document: Customers using Microsoft® Windows®

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Systems administrators should apply the patch
immediately.

Security Update Replacement: None

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software
* Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service
Pack 4 - Download the update
* Microsoft Windows XP, Microsoft Windows XP Service Pack 1 -
Download the update
* Microsoft Windows XP 64-Bit Edition - Download the update

Note: The Windows XP security updates that released on October
15^th as part of Security Bulletin MS03-043 (828035) include the
updated file that helps protect from this vulnerability. If you
have applied the Windows XP security updates for MS03-043 (828035)
you do not have to reapply this update. However, the Windows 2000
security update that is released as part of this security bulletin
contains updated files that were not part of the MS03-043 (828035)
security bulletin. Customers have to apply this Windows 2000
security update even if they applied the Windows 2000 security
updates for MS03-043 (828035).

Non Affected Software
* Microsoft Windows NT Workstation 4.0, Service Pack 6a
* Microsoft Windows NT Server 4.0, Service Pack 6a
* Microsoft Windows NT Server 4.0, Terminal Server Edition, Service
Pack 6
* Microsoft Windows Millennium Edition
* Microsoft Windows XP 64-Bit Edition Version 2003
* Microsoft Windows Server 2003
* Microsoft Windows Server 2003 64-Bit Edition

The software listed above has been tested to determine if the
versions are affected. Other versions are no longer supported, and
may or may not be affected.

[plus.gif] Technical Details

Technical description:

A security vulnerability exists in the Workstation service that
could allow remote code execution on an affected system. This
vulnerability results because of an unchecked buffer in the
Workstation service.

If exploited, an attacker could gain System privileges on an
affected system, or could cause the Workstation service to fail. An
attacker could take any action on the system, including installing
programs, viewing data, changing data, or deleting data, or
creating new accounts with full privileges.

Mitigating factors:
* If users have blocked inbound UDP ports 138, 139, 445 and TCP
ports 138, 139, 445 by using a firewall an attacker would be
prevented from sending messages to the Workstation service. Most
firewalls, including Internet Connection Firewall in Windows XP,
block these ports by default.
* Disabling the Workstation service will prevent the possibility of
attack. However there are a number of impacts when performing this
workaround. Please see the Workaround section for more details.
* Only Windows 2000 and Window XP are affected. Other operating
systems are not vulnerable to this attack.

Severity Rating:

Microsoft Windows 2000 Critical
Microsoft Windows XP Critical

The above assessment is based on the types of systems affected by
the vulnerability, their typical deployment patterns, and the
effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0812

[plus.gif] Workarounds

Microsoft has tested the following workarounds that apply to this
vulnerability. These workarounds help block known attack vectors,
however they will not correct the underlying vulnerability.
Workarounds may reduce functionality in some cases; in such cases,
the reduction in functionality is identified below.
1. Block UDP ports 138, 139, 445 and TCP ports 138, 139, 445 at your
firewall.
These ports are used to accept a Remote Procedure Call (RPC)
connection at a remote computer. Blocking them at the firewall
will help prevent systems behind that firewall from being attacked
by attempts to exploit this vulnerability.
2. Use a personal firewall such as Internet Connection Firewall,
which is included with Windows XP.
If you use the Internet Connection Firewall feature in Windows XP
to help protect your Internet connection, Internet Connection
Firewall blocks inbound traffic from the Internet or from the
intranet by default.
To enable the Internet Connection Firewall feature by using the
Network Setup Wizard:
1. Click Start, and then click Control Panel.
2. In the default Category View, click Network and Internet
Connections, and then click Setup or change your home or
small office network. The Internet Connection Firewall
feature is enabled when you select a configuration in the
Network Setup Wizard that indicates that your computer is
connected directly to the Internet.
To configure Internet Connection Firewall manually for a
connection:
1. Click Start, and then click Control Panel.
2. In the default Category View, click Networking and Internet
Connections, and then click Network Connections.
3. Right-click the connection on which you want to enable
Internet Connection Firewall, and then click Properties.
4. Click the Advanced tab.
5. Select the Protect my computer or network by limiting or
preventing access to this computer from the Internet check
box, and then click OK.

Note: If you want to enable the use of some applications and
services through the firewall, click Settings on the Advanced tab,
and then select the programs, the protocols, and the services.

* Enable advanced TCP/IP filtering on Windows 2000-based systems and
on Windows XP-based systems.
You can enable advanced TCP/IP filtering to block all unsolicited,
inbound traffic. For additional information about how to configure
TCP/IP filtering, click the following article number to view the
article in the Microsoft Knowledge Base:

309798 HOW TO: Configure TCP/IP Filtering in Windows 2000

* Disable the Workstation service.
You can disable the Workstation service to help prevent the
possibility of an attack.
To disable the Workstation service on Windows XP:
a. Click Start, and then click Control Panel.
b. In the default Category View, click Performance and
Maintenance.
c. Click Administrative Tools.
d. Double-click Services.
e. Double-click Workstation.
f. On the General tab, click Disabled in the Startup type list.
g. Click Stop under Service status, and then click OK.
To disable the Workstation service on Windows 2000:
a. Click Start, point to Settings, and then click Control Panel.
b. Double-click Administrative Tools.
c. Double-click Services.
d. Double-click Workstation.
e. On the General tab, click Disabled in the Startup type list.
f. Click Stop under Service status, and then click OK.
Impact of Workaround: If the Workstation service is disabled, the
system cannot connect to any shared file resources or shared print
resources on a network. Only use this workaround on stand-alone
systems (such as many home systems) that do not connect to a
network. If the Workstation service is disabled, any services that
explicitly depend on the Workstation service do not start, and an
error message is logged in the system event log. The following
services depend on the Workstation service:

* Alerter
* Browser
* Messenger
* Net Logon
* RPC Locator

These services are required to access resources on a network and to
perform domain authentication. Internet connectivity and browsing
for stand-alone systems, such as users on dial-up connections, on
DSL connections, or on cable modem connections, should not be
affected if these services are disabled.

Note: The Microsoft Baseline Security Analyzer will not function if
the Workstation service is disabled. It is possible that other
applications may also require the Workstation service. If an
application requires the Workstation service, simply re-enable the
service. This can be performed by changing the Startup Type for the
Workstation service back to Automatic and restarting the system.

[plus.gif] Frequently Asked Questions

What is the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who
successfully exploited this vulnerability could allow remote code
execution with System privileges on an affected system, or an
attacker could cause the Workstation service to fail. The attacker
could then take any action on the system, including installing
programs, viewing data, changing data, or deleting data, or
creating new accounts with full privileges.

What causes the vulnerability?
The vulnerability results because of an unchecked buffer within the
Workstation service.

What is the Workstation Service?
Both local file system requests and remote file or print network
requests are routed through the Workstation service. This service
determines where the resource is located and then routes the
request to the local file system or to the networking components.
When the Workstation service is stopped, all requests are assumed
to be local requests. For a detailed understanding of the Windows
networking architecture, visit the following Microsoft Web site:
http://www.microsoft.com/technet/prodtechnol/winntas/reskit/net/chp
tr1.asp

What could this vulnerability enable an attacker to do?
An attacker who successfully exploited this vulnerability could
cause code to execute with System privileges on an affected system
or could cause the Workstation service to fail. An attacker could
then take any action on the system, including installing programs,
viewing data, changing data, or deleting data, or creating new
accounts with full privileges.

Who could exploit the vulnerability?
Any anonymous user who could deliver a malformed message to the
Workstation service on an affected system could attempt to exploit
this vulnerability. Because the Workstation service is enabled by
default in all versions of Windows, this means that any user who
could establish a connection with an affected system could attempt
to exploit this vulnerability.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by creating a
specially-crafted network message and by sending the message to the
Workstation service on an affected system. Receipt of such a
message could cause the Workstation service on the vulnerable
system to fail in such a way that could allow the Workstation
service to execute code.

An attacker could also access the affected component through
another vector, such as one that would involve logging onto the
system interactively or by using another application that passed
parameters to the vulnerable component (locally or remotely).

What does the update do?
The update eliminates the vulnerability by ensuring that the
Workstation service properly validates the length of a message
before passing the message to the allocated buffer.

Why does the Windows XP update reference the MS03-043 Security
Bulletin?
The Windows XP security updates that released on October 15^th as
part of Security Bulletin MS03-043 (828035) include the updated
file that helps protect from this vulnerability. If you have
applied the Windows XP security updates for MS03-043 (828035) you
do not have to reapply this update. However, the Windows 2000
security update that is released as part of this security bulletin
contains updated files that were not part of the MS03-043 (828035)
security bulletin. Customers have to apply this Windows 2000
security update even if they applied the Windows 2000 security
updates for MS03-043 (828035).

[plus.gif] Security Update Information

Installation platforms and Prerequisites:

For information about the specific security update for your
platform, click the appropriate link:

[plus.gif] Windows XP (all versions)

Note: The Windows XP security updates that released on October
15^th as part of Security Bulletin MS03-043 (828035) include the
updated file that helps protect from this vulnerability. If you
have applied the Windows XP security updates for MS03-043 (828035)
you do not have to reapply this update. However, the Windows 2000
security update that is released as part of this security bulletin
contains updated files that were not part of the MS03-043 (828035)
security bulletin. Customers have to apply this Windows 2000
security update even if they applied the Windows 2000 security
updates for MS03-043 (828035). For complete Windows XP security
update details please consult the MS03-043 security bulletin

[plus.gif] Windows 2000 (all versions)

Prerequisites

For Windows 2000 this security update requires Service Pack 2
(SP2), Service Pack 3 (SP3), or Service Pack 4 (SP4).

For information about the Windows desktop product life cycle, visit
the following Microsoft Web site:
http://microsoft.com/windows/lifecycle/desktop/consumer/components.
mspx

For additional information, click the following article number to
view the article in the Microsoft Knowledge Base: 260910 How to
Obtain the Latest Windows 2000 Service Pack

Inclusion in future service packs:
The fix for this issue will be included in Windows 2000 Service
Pack 5.

Installation Information

This security update supports the following Setup switches:

/help Displays the command line options

Setup Modes

/quiet Quiet mode (no user interaction or display)
/passive Unattended mode (progress bar only)<
/uninstall Uninstalls the package

Restart Options

/norestart Do not restart when installation is complete
/forcerestart Restart after installation

Special Options

/l Lists installed Windows hotfixes or update packages
/o Overwrite OEM files without prompting
/n Do not backup files needed for uninstall
/f Force other programs to close when the computer shuts down

Note: For backward compatibility, the security update also supports
the setup switches used by the previous version of the setup
utility, however usage of the previous switches should be
discontinued as this support may be removed in future security
updates.

Deployment Information

To install the security update without any user intervention, use
the following command line for Windows 2000 Service Pack 2, Windows
2000 Service Pack 3, Windows 2000 Service Pack 4:

Windows2000-kb828749-x86-enu /passive /quiet

To install the security update without forcing the computer to
restart, use the following command line for Windows 2000 Service
Pack 2, Windows 2000 Service Pack 3, Windows 2000 Service Pack 4:

Windows2000-kb828749-x86-enu /norestart

Note: You can combine these switches into one command line.

For information about how to deploy this security update with
Software Update Services, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserversystem/sus/default.mspx

Restart Requirement

In some cases, this update does not require a reboot. The installer
stops the needed services, applies the update, then restarts them.
However, if the needed services cannot be stopped for any reason
or if required files are in use, it will require a reboot. If this
occurs, a prompt will be displayed advising of the need to reboot.

Removal Information

To remove this security update, use the Add/Remove Programs tool in
Control Panel.

System administrators can use the Spuninst.exe utility to remove
this security update. The Spuninst.exe utility is located in the
%Windir%\$NTUninstallKB828749$\Spuninst folder, and it supports the
following Setup switches:

/?: Show the list of installation switches.
/u: Use unattended mode.
/f: Force other programs to quit when the computer shuts down.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).

File Information

The English version of this fix has the file attributes (or later)
that are listed in the following table. The dates and times for
these files are listed in coordinated universal time (UTC). When
you view the file information, it is converted to local time. To
find the difference between UTC and local time, use the Time Zone
tab in the Date and Time tool in Control Panel.

Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, Windows
2000 Service Pack 4:

Date Time Version Size File Name
02-Oct-2003 21:53 5.00.2195.6862 96,528 Wkssvc.dll

Verifying Update Installation

To verify that the security update is installed on your computer
use the Microsoft Baseline Security Analyzer (MBSA) tool. For
additional information about MBSA, click the following article
number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is
Available

You may also be able to verify the files that this security update
installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows
2000\SP5\KB828749\Filelist

Note: This registry key may not be not created properly when an
administrator or an OEM integrates or slipstreams the 828749
security update into the Windows installation source files.

Acknowledgments

Microsoft thanks the following for working with us to protect
customers:
* eEye Digital Security for reporting the issue in MS03-049.

Obtaining other security updates:

Updates for other security issues are available from the following
locations:
* Security updates are available from the Microsoft Download Center,
and can be most easily found by doing a keyword search for
"security_patch".
* Updates for consumer platforms are available from the
WindowsUpdate web site

Support:
* Technical support is available from Microsoft Product Support
Services at 1-866-PCSAFETY. There is no charge for support calls
associated with security patches.
* International customers can get support from their local Microsoft
subsidiaries. There is no charge for support associated with
security updates. Information on how to contact Microsoft support
is available at
http://support.microsoft.com/common/international.aspx

Security Resources:
* The Microsoft TechNet Security Web Site provides additional
information about security in Microsoft products.
* Microsoft Software Update Services:
http://www.microsoft.com/sus/">http://www.microsoft.com/sus/">http
://www.microsoft.com/sus/
* Microsoft Baseline Security Analyzer (MBSA) details:
http://www.microsoft.com/technet/security/tools/mbsahome.asp.
Please see
http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 for
list of security updates that have detection limitations with MBSA
tool.
* Windows Update Catalog:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166
* Windows Update: http://windowsupdate.microsoft.com
* Office Update: http://office.microsoft.com/officeupdate/

Software Update Services (SUS):

Microsoft Software Update Services (SUS) enables administrators to
quickly and reliably deploy the latest critical updates and security
updates to Windows® 2000 and Windows Server(TM) 2003-based servers, as
well as to desktop computers running Windows 2000 Professional or
Windows XP Professional.

For information about how to deploy this security patch with Software
Update Services, visit the following Microsoft Web site:

http://www.microsoft.com/sus/

Systems Management Server (SMS):

Systems Management Server can provide assistance deploying this
security update. For information about Systems Management Server visit
the SMS Web Site. SMS also provides several additional tools to assist
administrators in the deployment of security updates such as the SMS
2.0 Software Update Services Feature Pack and the SMS 2.0
Administration Feature Pack. The SMS 2.0 Software Update Services
Feature Pack utilizes the Microsoft Baseline Security Analyzer and the
Microsoft Office Detection Tool to provide broad support for security
bulletin remediation. Some software updates may require administrative
rights following a restart of the computer.

Note: The inventory capabilities of the SMS 2.0 Software Update
Services Feature Pack may be used for targeting updates to specific
computers, and the SMS 2.0 Administration Feature Pack's Elevated
Rights Deployment Tool can be used for installation. This provides
optimal deployment for updates that require explicit targeting using
Systems Management Server and administrative rights after the computer
has been restarted.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided
"as is" without warranty of any kind. Microsoft disclaims all
warranties, either express or implied, including the warranties of
merchantability and fitness for a particular purpose. In no event
shall Microsoft Corporation or its suppliers be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss
of business profits or special damages, even if Microsoft Corporation
or its suppliers have been advised of the possibility of such damages.
Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may
not apply.

Revisions:
* V1.0 (November 11, 2003): Bulletin published

Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    8 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close