Microsoft Security Bulletin MS01-043

Technical description:

The NNTP (Network News Transport Protocol) service in Windows NT 4.0, Windows 2000, and Exchange 2000 contains a memory leak in a routine that processes news postings. Each time such a posting is processed that contains a particular construction, the memory leak causes a small amount of memory to no longer be available for use. If an attacker sent a large number of posts, the server memory could be depleted to the point at which normal service would be disrupted. An affected server could be restored to normal service by stopping and starting the IISAdmin service.

Exchange 5.5 contains an NNTP service, but it is not affected by the vulnerability. Exchange 2000 does not ship a separate NNTP service; instead, if NNTP is enabled, the native Windows 2000 NNTP service is used. As a result, Exchange 2000 servers that offer NNTP services should have the Windows 2000 patch applied to them.

Mitigating factors:

• Windows NT 4.0 does not ship with a native NNTP service. Instead, it must be installed as part of the Windows NT 4.0 Option Pack. (It does not install by default as part of the Option Pack).
• Windows 2000 Professional does not ship with a native NNTP service.
• Windows 2000 server products do ship with a native NNTP service, but it is not installed by default.
• The vulnerability would not enable an attacker to usurp any administrative control or compromise data on the machine.

Vulnerability identifier: CAN-2001-0543

Tested Versions:

Microsoft tested Windows NT 4.0, Windows 2000, Exchange 5.5 and Exchange 2000 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

What's the scope of this vulnerability?
This is a denial of service vulnerability. By repeatedly sending a news posting to an affected server, an attacker could degrade its performance, potentially to the point where the server would be unable to provide useful service.
The vulnerability would not enable an attacker to compromise any data on the server, or to usurp any privileges on the machine. The administrator of an affected system could restore normal service by stopping and restarting the affected system service.

What causes the vulnerability?
The vulnerability results because the NNTP service in Windows NT 4.0 and Windows 2000 contains a memory leak. If a sufficient quantity of posting containing a particular malformation were received, it could deplete the available memory to the point where the server would be incapable of performing useful work.

What's NNTP?
NNTP (Network News Transfer Protocol) is an industry-standard protocol that specifies a method for posting, distributing, searching and archiving news articles via Internet-based servers. The vulnerability results because the NNTP implementation in Windows NT 4.0 and Windows 2000 contains a memory leak that could be used to disrupt the NNTP service.

What's a memory leak?
A memory leak is an implementation error that depletes the available memory on a system. As a process on a computer runs, it may need more or less memory, depending on exactly what it is doing from one minute to the next. When the process needs more memory, it requests it from the operating system; when it no longer needs the additional memory, it should return it to the operating system so it can be allocated to other processes.
A memory leak occurs when a process doesn't correctly return memory to the operating system. Instead of becoming available for allocation to another process, the memory remains assigned to the process even though the process is no longer using it. This effectively makes the block of memory unavailable.

How does the memory leak happen in this case?
In the case of this vulnerability, the NNTP service has a memory leak that results when it processes a particular type of malformed news posting. Each time the service accepts such a posting, it requests memory from the operating system; however, it doesn't return the memory when it finishes handling the request.

What could an attacker do via this vulnerability?
An attacker could repeatedly send malformed news postings to an affected server in order to deplete its pool of available memory. As the server's memory pool was depleted, its performance would gradually slow. If the attack were sustained for a long enough period, the server could potentially be brought to a standstill and be unable to perform useful work.

Does the NNTP service run by default?
The answer varies by operating system.

• Windows NT 4.0 don't provide an NNTP service. NNTP support is provided via the Windows NT 4.0 Option Pack, but it does not install by default.
• Windows 2000 Professional doesn't provide an NNTP service.
• Windows 2000 server products do provide an NNTP service, but it is not installed or running by default.

If NNTP is installed and running, is it vulnerable? 
Yes.

Exchange 5.5 and 2000 also offer NNTP services. Are they affected? 
Exchange 5.5 is not affected by the vulnerability, as its implementation is independent of the ones in Windows NT 4.0 and Windows 2000 and doesn't contain the memory leak. On the other hand, Exchange 2000 uses the native Windows 2000 NNTP service, so if an Exchange 2000 server has been configured to provide NNTP services, it's affected by the vulnerability.

Would a successful attack via this vulnerability only disrupt NNTP services, or would other services on the system be affected as well?
Because the vulnerability depletes the memory pool that all services on the machine use, a successful attack via the vulnerability would affect the operation of all services on the machine, not just the terminal services. So, for instance, if the machine also hosted shared files, users might be unable to access them after the machine had been attacked.

Would this vulnerability enable the attacker to gain any privileges on the machine?
No. The sole effect of a successful attack via this vulnerability would be to prevent the server from operating normally. It wouldn't grant any privileges to the attacker, nor would it allow any data to be compromised.

How could an affected server be put back into service?
The server could be returned to normal service by stopping the IISAdmin service and restarting it.

Could this vulnerability be exploited from the Internet?
The vulnerability could be exploited by any user who could send postings to it. If the server accepts postings from the Internet, an Internet user could exploit the vulnerability.

I use Windows NT 4.0 Server, Terminal Server Edition. Could I be affected by this vulnerability?
No. The vehicle by which the NNTP service ships, the Windows NT 4.0 Option Pack, cannot be installed on terminal servers.

I visit news servers frequently from my home computer. Does this vulnerability affect me?
No. It only affects servers that offer NNTP services; it doesn't affect the client machines that visit them.

What does the patch do?
The patch eliminates the vulnerability by causing the NNTP service in Windows NT 4.0 and Windows 2000 to properly deallocate memory after processing a news posting.

Download locations for this patch

• Windows NT 4.0 Server and Server, Enterprise Edition:

  http://www.microsoft.com/downloads/details.aspx?FamilyId=71ED6722-E55A-41B5-8EF9-7FF5B2AEE40D&displaylang=en

• Windows 2000 Server and Advanced Server:

  http://www.microsoft..com/downloads/details.aspx?FamilyId=DDD9AB2F-23A9-4A5E-9B02-CDA8D7DCE3DE&displaylang=en

• Microsoft Windows 2000 Datacenter Server:

  Patches for Windows 2000 Datacenter Server are hardware-specific and available from the original equipment manufacturer.

  Note: Exchange 2000 servers that offer NNTP services should have the Windows 2000 patch applied to them.