Security Bulletin
Microsoft Security Bulletin MS02-045 - Moderate
Unchecked Buffer in Network Share Provider Can Lead to Denial of Service (Q326830)
Published: August 22, 2002
Version: 1.0
Originally posted: August 22, 2002
Summary
Who should read this bulletin: Customers using Microsoft® Windows NT®, Windows® 2000 and Windows XP.
Impact of vulnerability: Denial of service.
Maximum Severity Rating: Moderate
Recommendation: Administrators should consider installing the patch.
Affected Software:
- Microsoft Windows NT 4.0 Workstation
- Microsoft Windows NT 4.0 Server
- Microsoft Windows NT 4.0 Server, Terminal Server Edition
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Windows XP Professional
General Information
Technical details
Technical description:
SMB (Server Message Block) is the protocol Microsoft uses to share files, printers, serial ports, and also to communicate between computers using named pipes and mail slots. In a networked environment, servers make file systems and resources available to clients. Clients make SMB requests for resources and servers make SMB responses in what described as a client server, request-response protocol.
By sending a specially crafted packet request, an attacker can mount a denial of service attack on the target server machine and crash the system. The attacker could use both a user account and anonymous access to accomplish this. Though not confirmed, it may be possible to execute arbitrary code.
Mitigating factors:
- An administrator can block access to SMB ports from untrusted networks. By blocking TCP ports 445 and 139 at the network perimeter, administrators can prevent this attack from untrusted parties. In a file and printing environment, this may not be a practical solution for legitimate users.
- An administrator can stop the Lanman server service which prevents the attack, but again may not be suitable on a file and print sharing server.
Severity Rating:
| Internet Servers | Intranet Servers | Client Systems | |
|---|---|---|---|
| Windows NT 4.0 Server | Low | Moderate | Moderate |
| Windows NT 4.0 Workstation | Low | Moderate | Moderate |
| Windows NT 4.0 Server, Terminal Server Edition | Low | Moderate | Moderate |
| Windows 2000 Server | Low | Moderate | Moderate |
| Windows 2000 Professional | Low | Moderate | Moderate |
| Windows 2000 Advanced Server | Low | Moderate | Moderate |
| Windows XP | Low | Moderate | Moderate |
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2002-0724
Tested Versions:
Microsoft tested Windows NT 4.0, Windows 2000 and Windows XP to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.
Frequently asked questions
What's the scope of the vulnerability?
This is a denial of service attack. By sending a specially crafted packet request to a computer, an attacker can crash the system of the target machine. The attacker could use both a user account and anonymous access to accomplish this. Though not confirmed, it may be possible to execute arbitrary code.
If system administrators have turned off anonymous access, it would not be possible for a non-authenticated user to exploit this vulnerability. However, turning off anonymous access does not prevent authenticated users from this attack.
In addition, an administrator can block access to SMB on TCP ports 445 and 139 at the network perimeter. This would block access from untrusted networks. However, legitimate users could be blocked in a file and print networking environment.
Administrators could also shut down the lanman server service. However, in a file and print networking environment this may not be a viable solution because it would block legitimate users from using file and print services on a particular server where the lanman service had been stopped.
What causes the vulnerability?
The vulnerability results because of a flaw in the way Microsoft's implementation of SMB receives a packet requesting the SMB service.
What is SMB?
SMB (Server Message Block) is the protocol Microsoft uses to share files, printers, serial ports, and also to communicate between computers using named pipes and mail slots. In a networked environment, servers make file systems and resources available to clients. Clients make SMB requests for resources and servers make SMB responses in what described as a client server, request-response protocol.
What's wrong with the SMB implementation?
There is an unchecked buffer in a section of code that requests the SMB service.
What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker launch a denial of service attack against vulnerable systems either locally or remotely using either a user account or anonymous access.
But this is a buffer overrun vulnerability. Don't they usually allow the attacker to run code on the system?
Normally this is true. However, in the testing process, neither the development team nor the reporter were able to find a way for an attacker to run code on the system. This does not mean that it's not possible, just that testing so far has not yielded this result. Again, administrators are encouraged to apply the patch.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability on machines that have anonymous access enabled by sending a malformed SMB request to a target computer and crashing it.
Could this vulnerability be exploited by a user on the Internet?
Only if TCP ports 445 and 139 were open at the firewall. This would block access from untrusted networks. Best practices say these ports should be blocked.
Would the user need to be authenticated in order to exploit the vulnerability?
If anonymous access has been disabled, only an authenticated user could exploit this vulnerability. Requiring authenticated users instead of anonymous access would make it easier for an administrator to determine who the attacker was.
What does the patch do?
The patch eliminates the vulnerability by checking for correct inputs before responding to SMB requests, thereby eliminating the vulnerability.
Patch availability
Download locations for this patch
- Microsoft Windows NT 4.0 - Download the update
- Microsoft Windows NT 4.0 Terminal Server Edition - Download the update
- Microsoft Windows 2000 - Download the update
- Microsoft Windows XP - Download the update
- Microsoft Windows XP 64 bit Edition - Download the update
Additional information about this patch
Installation platforms:
Windows NT 4.0:
The Windows NT 4.0 patch can be installed on systems running Service Pack 6a
The Windows NT 4.0 Terminal Server Edition patch can be installed on systems running Windows NT 4.0 TSE Service Pack 6.
Windows 2000:
This patch can be installed on systems running Windows 2000 Service Pack 2 or Windows 2000 Service Pack 3
The patch for Windows XP can be installed on systems running Windows XP Gold.
Inclusion in future service packs:
- The fix for this issue will be included in Windows 2000 Service Pack 4.
- The fix for this issue will be included in Windows XP Service Pack 1.
Reboot needed: Yes
Patch can be uninstalled: Yes
Superseded patches: None.
Verifying patch installation:
To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\...\Q326830.
To verify the individual files, use the date/time and version information provided in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\...\Q326830\Filelist
Caveats:
None
Localization:
Localized versions of this patch are available at the locations discussed in "Patch Availability".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
- Patches for consumer platforms are available from the WindowsUpdate web site
Other information:
Acknowledgments
Microsoft thanks Alberto Solino and Hernan Ochoa of the Security Consulting Services team of Core Security Technologies for reporting this issue to us and working with us to protect customers.
Support:
- Microsoft Knowledge Base article Q326830 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
- V1.0 (August 22, 2002): Bulletin Created.
Built at 2014-04-18T13:49:36Z-07:00