Date: 29 May 2003
References: ESB-2003.0182 AU-2003.006 ESB-2003.0313
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2003.08 -- AUSCERT ALERT
Unchecked Buffer In Windows Component Could Cause Server Compromise (815021)
Microsoft Security Bulletin MS03-007 REVISED
29 May 2003
===========================================================================
AusCERT Alert Summary
---------------------
Product: Windows ntdll.dll
Publisher: Microsoft
Operating System: Windows XP
Windows 2000
Windows NT
Impact: Administrator Compromise
Access Required: Remote
CVE Names: CAN-2003-0109
Ref: AU-2003.006
AL-2003.02
ESB-2003.0313
ESB-2003.0182
Due to the severity and current exploitation of this vulnerability
against Windows 2000 servers, and now that the vulnerability has been
found to exist in Windows NT 4.0 and Windows XP, AusCERT is releasing
this information as an AusCERT Alert.
For additional information and appropriate patches, please reference
the Microsoft Security Bulletin MS03-007, available at:
http://www.microsoft.com/technet/security/bulletin/ms03-007.asp
AusCERT will continue to monitor this vulnerability and any exploit
activity. AusCERT members will be updated as information becomes
available.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
- - - -----------------------------------------------------------------
Title: Unchecked Buffer In Windows Component Could Cause
Server Compromise (815021)
Released: 17 Mar 2003
Revised: 28 May 2003 (version 3.0)
Software: Microsoft (r) Windows (r) NT 4.0, Windows 2000 and
Windows XP
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS03-007
Microsoft encourages customers to review the Security Bulletin
at:
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
http://www.microsoft.com/security/security_bulletins/ms03-007.asp
- - - -----------------------------------------------------------------
Reason for Revision:
====================
Microsoft originally released this security bulletin on March 17,
2003. At that time, Microsoft was aware of a publicly available
exploit that was being used to attack Windows 2000 Servers running
IIS 5.0. The attack vector in this case was WebDAV although the
underlying vulnerability was in a core operating system component,
ntdll.dll. Microsoft issued a patch to protect Windows 2000
customers shortly afterwards, but also continued to investigate the
underlying vulnerability. During the course of that investigation,
Microsoft found that Windows NT 4.0 also contains the underlying
vulnerability in ntdll.dll, however it does not support WebDAV and
therefore the known exploit was not effective against Windows NT
4.0. In addition, Microsoft has recently been made aware of this
vulnerability as well in Windows XP. However, like Windows NT 4.0,
Windows XP does not install Internet Information Services (IIS) by
default. Microsoft has now released patches for Windows NT 4.0 and
Windows XP.
Issue:
======
Microsoft Windows 2000 supports the World Wide Web Distributed
Authoring and Versioning (WebDAV) protocol. WebDAV, defined in
RFC 2518, is a set of extensions to the Hyper Text Transfer
Protocol (HTTP) that provide a standard for editing and file
management between computers on the Internet. A security
vulnerability is present in a Windows component used by WebDAV
and results because a core operating system component, ntdll.dll,
contains an unchecked buffer.
An attacker could exploit the vulnerability by sending a
specially formed HTTP request to a machine running Internet
Information Server (IIS). The request could cause the server to
fail or to execute code of the attacker's choice. The code would
run in the security context of the IIS service (which, by
default, runs in the LocalSystem context).
Although Microsoft has supplied a patch for this vulnerability
and recommends all affected customers install the patch
immediately, additional tools and preventive measures have been
provided that customers can use to block the exploitation of
this vulnerability while they are assessing the impact and
compatibility of the patch. These temporary workarounds and
tools are discussed in the "Workarounds" section in the FAQ
below.
Mitigating Factors:
====================
- URLScan, which is a part of the IIS Lockdown Tool will block
this attack in its default configuration
- The vulnerability can only be exploited remotely if an attacker
can establish a web session with an affected server
- Windows NT 4.0 and Windows XP do not install Internet
Information Services by default.
- Windows NT 4.0 does not support WebDAV
Risk Rating:
============
- Critical
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletins at
http://www.microsoft.com/technet/security/bulletin/ms03-007.asp
http://www.microsoft.com/security/security_bulletins/ms03-007.asp
for information on obtaining this patch.
- - - -----------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT,
INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR
SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION
MAY NOT APPLY.
- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQEVAwUBPtTmDo0ZSRQxA/UrAQHRCQgAi2BdXz6lpYHcyNvPD5l3bp5ETnJg3WDp
G8qIK0jFv9qROBhPAnddzhYCiNgJnL+v+4y8XMRqzKXG6AbC2IcLnyDaDXuF8Asz
hl22J4BYshoZVP7Sr7Ck7uun82jizguYX5P4t3Ck2TX/JL+A5E9NkcHRgYb1xAzW
7ShgEMyoggplM4XnTjnSm+CfohNGE0EYpAJ/dX1Z4JeSjIdsogfpZ4cb7DEwxhvO
tdcp3aA/asBRbxUZHRI0UyYn2e/Hl+W4hDr7Lu3EqeJexI5E/mQZYhgMtiRo+zhK
cP+QfsEub1H0DPp+ECMpLMYrDHXfAPH9PwU2Rs+JHGqGZ9r0fHQPnQ==
=bjtW
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
This alert is provided as a service to AusCERT's members. As AusCERT did
not write the document quoted above, AusCERT has had no control over its
content. The decision to use any or all of this information is the
responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the alert. It may not be
updated when updates to the original are made. If downloading at a later
date, it is recommended that the alert is retrieved directly from the
author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the alert above. If you have any questions or need further information,
please contact them directly.
Previous advisories, alerts and external security bulletins can be
retrieved from:
http://www.auscert.org.au/render.html?cid=1977
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPtZAxyh9+71yA2DNAQHPagP/RJGv22umpWk+CpcSglueziQfyJjEox6r
iAa2Qq6TmORjTiw670LHmMXZx6S/7NlsLcqJRg85AnNIzbSaPeq/fZBKU2/K276j
/jfexjMEOfzBCXhiFL1tTwkKiLCQGqlAbLEIj/gEc2AKJOcYL4yNIYtubOeithU6
goy3yfqv2F0=
=6PQw
-----END PGP SIGNATURE-----
|