Microsoft Security Bulletin MS03-013

Technical description:

Microsoft re-issued this bulletin on May 28, 2003 to advise on the availability of an updated Windows XP Service Pack 1 patch. This revised patch corrects the performance issues that some customers experienced with the original Windows XP Service Pack 1 patch.

Microsoft originally issued this bulletin on April 16, 2003. Subsequent to that date, Microsoft received reports of performance problems with the patch from some Windows XP Service Pack 1 customers. This original Windows XP Service Pack 1 patch did address the security vulnerability discussed in this security bulletin. Microsoft investigated this performance issue and confirmed that there could be performance problems when the original patch was applied to Windows XP Service Pack 1 systems. Microsoft has published a Knowledge Base article, 819634, that describes the known circumstances that can cause the performance problems to manifest themselves with the original patch. Microsoft has subsequentially re-issued the Windows XP Service Pack 1 patch to correct the performance problems. This revised patch can be downloaded from the locations described later in this bulletin.

The Windows kernel is the core of the operating system. It provides system level services such as device and memory management, allocates processor time to processes and manages error handling. There is a flaw in the way the kernel passes error messages to a debugger. A vulnerability results because an attacker could write a program to exploit this flaw and run code of their choice. An attacker could exploit this vulnerability to take any action on the system including deleting data, adding accounts with administrative access, or reconfiguring the system.

For an attack to be successful, an attacker would need to be able to logon interactively to the system, either at the console or through a terminal session. Also, a successful attack would require the introduction of code in order to exploit this vulnerability. Because best practices recommends restricting the ability to logon interactively on servers, this issue most directly affects client systems and terminal servers.

Mitigating factors:

• A successful attack requires the ability to logon interactively to the target machine, either directly at the console or through a terminal session.
• Properly secured servers would be at little risk from this vulnerability. Standard best practices recommend only allowing trusted administrators to log onto such systems interactively; without such privileges, an attacker could not exploit the vulnerability.

Severity Rating:

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0112

Tested Versions:

Microsoft tested Windows NT4, Windows 2000 and Windows XP to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Why has Microsoft reissued this bulletin? 
Subsequent to the release of this bulletin and the associated patches, a performance related problem was identified with the Windows XP Service Pack 1 version of the patch. This problem is unrelated to the security vulnerability discussed in this bulletin, however the problem has caused some customers to notice performance degradation on Windows XP SP1 systems after applying the patch.
Microsoft has corrected this problem and re-issued this bulletin on May 28, 2003 to advise on the availability of a revised patch for Windows XP Service Pack 1.

What's the scope of the vulnerability? 
This is a privilege elevation vulnerability. An attacker who has the ability to interactively log on to a system and run code of their choice could seek to exploit this vulnerability and run code of their choice with higher privileges. This could allow an attacker to carry out any action on the system including creating administrative accounts or modifying or deleting data.
Because a successful attack would require the ability for the attacker to logon interactively and run a program, the systems most likely to be affected by this vulnerability are client systems and terminal servers, which regularly allow end-users access to the system directly. Servers such as mail servers, database servers, application servers and file servers are normally configured to restrict the ability of users to log on interactively and therefore are less likely to be affected by this vulnerability.

What causes the vulnerability?
The vulnerability results because of an unchecked buffer used by the Windows kernel for passing error messages to a debugger.

What is the Windows Kernel?
The Windows kernel is the core of the Windows operating system. It provides basic services, such as memory and device management, which all other applications depend upon.

What is a debugger?
A debugger is a software program that provides a way for system administrators and developers to troubleshoot programs running on Windows by interrogating the code that is running on the system directly.
A debugger works by "attaching" to a particular process and then listening for error messages from that process. When an error message is detected, the debugger then displays the error message to allow analysis. The kernel manages the passage of messages to and from a debugger. Windows NT, Windows 2000 and Windows XP include a debugger.

What's wrong with the way the Kernel handles debug messages in Windows?
There is a flaw in the Windows kernel caused by a difference in the permitted size of an outgoing error message, and the size of the buffer that can receive that error message. This means that if an overly large message is passed between the kernel and the debugger, the buffer can be caused to overflow.
The flaw is in the Windows kernel and how it passes messages to the debugger, and not in the debugger itself.

What could this vulnerability enable an attacker to do?
An attacker with sufficient rights to logon interactively could use this vulnerability to run code of their choice. For example, the attacker could execute code that could allow adding accounts with administrative privileges, deleting critical system files, or changing security settings.
It is important to note that an attacker would need to be able to logon interactively to the system. This vulnerability could not be exploited by a remote or an anonymous user.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by writing a program that would send a number of specially malformed debugger messages to and from the Windows kernel in such a way as to overflow the affected buffer. This could allow the attacker to run code of their choice, which could be used to elevate privilege.
For an attack to be successful, the attacker would need to be able to logon interactively and to introduce hostile code to the system. Best practices suggest that users' ability to logon and load programs should be limited in accordance with the rule of least privilege, which would mitigate the chances for a successful attack.

What does the patch do?
The patch addresses the vulnerability by correctly handling information sent from the Windows kernel to the debugger.

In the Additional Information section below you state that the Windows 2000 patch supercedes the Windows 2000 Patch for MS03-007. Does this patch correct the problem discussed in the Caveats section of MS03-007?
Yes - the problem with MS03-007 was caused by a dependent file not being present in the patch. This file dependency only manifested itself under very specific circumstances - the system needed to be running Windows 2000 Service Pack 2 and also have had one of a small number of non-security hotfixes installed - which had to have been obtained from Microsoft Product Support Services.
The Windows 2000 patch for this security vulnerability includes the dependent file, and also includes the fix for MS03-007. This means that the patch will install on the systems described above without causing the same issue as the MS03-007 patch.

Download locations for this patch

• Windows NT 4.0:
  • All except Japanese NEC and Chinese - Hong Kong
  • Japanese NEC
  • Chinese - Hong Kong
• Windows NT 4.0, Terminal Server Edition:
  • All
• Windows 2000:
  • All except Japanese NEC
  • Japanese NEC
• Windows XP:
  • 32-bit Edition
  • 64-bit Edition