Date: 28 April 2003
References: ESB-2003.0182 ESB-2003.0579 ESB-2003.0590
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2003.0313 -- Microsoft Security Bulletin MS03-007
Unchecked Buffer In Windows Component Could Cause Server Compromise
(815021)
28 April 2003
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Windows ntdll.dll
Vendor: Microsoft
Operating System: Windows 2000
Windows NT
Impact: Administrator Compromise
Access Required: Remote
CVE Names: CAN-2003-0109
Ref: AL-2003.02
ESB-2003.0182
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
- - ----------------------------------------------------------------------
Title: Unchecked Buffer In Windows Component Could Cause
Server Compromise (815021)
Released: 17 Mar 2003
Revised: 23 Apr 2003 (version 2.0)
Software: Microsoft (r) Windows (r) NT 4.0 and Windows 2000
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS03-007
Microsoft encourages customers to review the Security Bulletin
at: http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
http://www.microsoft.com/security/security_bulletins/ms03-007.asp
- - ----------------------------------------------------------------------
Reason for Revision:
====================
Microsoft originally released this security bulletin on March 17,
2003. At that time, Microsoft was aware of a publicly available
exploit that was being used to attack Windows 2000 Servers
running IIS 5.0. The attack vector in this case was WebDAV
although the underlying vulnerability was in a core operating
system component, ntdll.dll. Microsoft issued a patch to protect
Windows 2000 customers shortly afterwards, but also continued to
investigate the underlying vulnerability. Windows NT 4.0 also
contains the underlying vulnerability in ntdll.dll, however it
does not support WebDAV and therefore the known exploit was not
effective against Windows NT 4.0. Microsoft has now released a
patch for Windows NT 4.0.
Issue:
======
Microsoft Windows 2000 supports the World Wide Web Distributed
Authoring and Versioning (WebDAV) protocol. WebDAV, defined in
RFC 2518, is a set of extensions to the Hyper Text Transfer
Protocol (HTTP) that provide a standard for editing and file
management between computers on the Internet. A security
vulnerability is present in a Windows component used by WebDAV
and results because a core operating system component, ntdll.dll,
contains an unchecked buffer.
An attacker could exploit the vulnerability by sending a
specially formed HTTP request to a machine running Internet
Information Server (IIS). The request could cause the server to
fail or to execute code of the attacker's choice. The code would
run in the security context of the IIS service (which, by
default, runs in the LocalSystem context).
Although Microsoft has supplied a patch for this vulnerability
and recommends all affected customers install the patch
immediately, additional tools and preventive measures have been
provided that customers can use to block the exploitation of
this vulnerability while they are assessing the impact and
compatibility of the patch. These temporary workarounds and
tools are discussed in the "Workarounds" section in the FAQ
below.
Mitigating Factors:
====================
- - -URLScan, which is a part of the IIS Lockdown Tool will block
this attack in its default configuration.
- - -The vulnerability can only be exploited remotely if an attacker
can establish a web session with an affected server.
Risk Rating:
============
- Critical
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletins at
http://www.microsoft.com/technet/security/bulletin/ms03-007.asp
http://www.microsoft.com/security/security_bulletins/ms03-007.asp
for information on obtaining this patch.
- - ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT,
INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR
SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION
MAY NOT APPLY.
- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQEVAwUBPqbKy40ZSRQxA/UrAQFYbAgApHo9krHk00+PGAkdg0W0lZLbVChL0rNO
nxiTtaLQOJ5l1IGUxGA9j2yKoj735iJQAsZiIDQyVNKjArbgoz7FOrCzZb7N4omZ
jeI2c2YT0gMF0EtAPPT7N7RdS5EX6RyoGG3b3AI2JP4DUS61OY0we5sQ+cXiFYAu
RjzDsgI+YiRgKkM7xAaQUlhtL+RS4/2T5swWFw96hubhBqJ6dHkg03JwYgH1h1o3
DNjmZA4m1aMzwTlHSMayYELzxNMgwQyXvbg+Fs48gfMfw7phQjtwS4MGFFYe1zAO
hnwocIB+BkXNgLwxAWV646hMUpRNxSh16fPQF+rSj4TSz++Q/GqI9w==
=+rX0
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPq0JMih9+71yA2DNAQG4PAP/SQ/68Q/8qKOiqlP36aBt4fr9WGDiBR5f
Tp1dMC/3PU/ztevjRZgt8xLckhnTGvk3R/U0f6omzDMjw8/nFjVaU2bHMR2Wnt40
e9VR52+LbLa8Cvf6R88wCOFjVvvC/6lLDGCN4hxkX8l3huHhxSIeo1hAvGcz+Is0
AGmAe07e/v8=
=2Zrf
-----END PGP SIGNATURE-----
|