AusCERT - AL-2003.23 -- Microsoft Workstation Service Buffer Overflow

AL-2003.23 -- Microsoft Workstation Service Buffer Overflow
Date: 12 November 2003
Original URL: http://www.auscert.org.au/render.html?cid=1977&it=3596
References: ESB-2004.0077

Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                        AL-2003.23 -- AUSCERT ALERT
               Microsoft Workstation Service Buffer Overflow
                            ISS Security Brief
                             12 November 2003
===========================================================================

        AusCERT Alert Summary
        ---------------------

Product:                Microsoft Windows 2000 SP2/SP3/SP4
                        Microsoft Windows XP
                        Microsoft Windows XP SP1
                        Microsoft Windows XP 64-bit Edition
Publisher:              Internet Security Systems
Operating System:       Windows
Impact:                 Administrator Compromise
                        Execute Arbitrary Code/Commands
Access Required:        Remote
CVE Names:              CAN-2003-0812

Due to the severity of this vulnerability, AusCERT is releasing this
information as an AusCERT Alert. AusCERT will continue to monitor this
vulnerability and any changes in exploit activity. AusCERT members will
be updated as information becomes available.

More information, mitigation steps and patches can be obtained from the
Microsoft site:

http://www.microsoft.com/technet/security/bulletin/MS03-049.asp

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Brief
November 11, 2003

Microsoft Workstation Service Buffer Overflow 

Synopsis:

Microsoft has released Security Bulletin MS03-049 to address a serious
buffer overflow vulnerability in the Microsoft Workstation service. The
Workstation service is responsible for handling remote connections between
computers and network resources such as fileservers or networked printers.

Impact:

The Workstation service is enabled by default on vulnerable platforms. The
vulnerability is a standard stack overflow, and therefore it may be
relatively easy to exploit. Exploits written to take advantage of standard
stack overflows are generally very robust, and are good candidates for use
in the creation of Internet worms.

Affected Versions:

Microsoft Windows 2000 SP2
Microsoft Windows 2000 SP3
Microsoft Windows 2000 SP4
Microsoft Windows XP
Microsoft Windows XP SP1
Microsoft Windows XP 64-bit Edition

Note: Microsoft Windows XP security updates associated with Security
Bulletin MS03-043 (828035) include a fix for this vulnerability. Microsoft
Windows XP users need not apply this update. Microsoft Windows 2000
customers are not protected by the previous patch.

For the complete ISS X-Force Security Alert, please visit:
http://xforce.iss.net/xforce/alerts/id/158

______

About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East.

Copyright (c) 2003 Internet Security Systems, Inc. All rights reserved
worldwide.

Permission is hereby granted for the electronic redistribution of this
document. It is not to be edited or altered in any way without the
express written consent of the Internet Security Systems X-Force. If
you wish to reprint the whole or any part of this document in any other
medium excluding electronic media, please email xforce@iss.net for
permission.

Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and PGP.com's key
server, as well as at http://www.iss.net/security_center/sensitive.php
Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.

- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBP7FiFDRfJiV99eG9AQFPyQQAjXnskhPSXLuiq3r1c/GlnzI/zBcVADIb
CubRTv+x7Gq8P1Jod1Pr9EcRvecn+cEAjofBRJ2dPDn767l+4FVh7cRqH9x2AD2O
aPzB+sOVtRoYevs8XXswF0sLIrBQh+UxHSSRo4F9QOEpnhGhpbiRBUDKcSkkgmuj
40T86ME8e3E=
=d+7x
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

This alert is provided as a service to AusCERT's members.  As AusCERT did
not write the document quoted above, AusCERT has had no control over its   
content. The decision to follow or act on information or advice contained in
this security bulletin is the responsibility of each user or organisation, and 
should be considered in accordance with your organisation's site policies and 
procedures. AusCERT takes no responsibility for consequences which may arise 
from following or acting on information or advice contained in this security 
bulletin.

NOTE: This is only the original release of the alert.  It may not be
updated when updates to the original are made.  If downloading at a later
date, it is recommended that the alert is retrieved directly from the
author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the alert above.  If you have any questions or need further information,
please contact them directly.

Previous advisories, alerts and external security bulletins can be 
retrieved from:

        http://www.auscert.org.au/render.html?cid=1977

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
                hours which are GMT+10:00 (AEST).  On call after hours
                for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBP7FxJSh9+71yA2DNAQF2iAP/bAKnlz2diNwy8icZi0/ej6lsuAO6KHem
xHSn5P/S+Ij+IryrYUP6A8c+6p0jvFKQuiYXxksBwApG4Rw3RE4fl3mv3sC3PAcf
1ZIwbnSYK6jVYlc79AP+Rr9eLgh+1OmwPR0jwXT3I5+BRkixk9OyG2csR7g541/A
k02UcVKaC6w=
=bSgg
-----END PGP SIGNATURE-----