Microsoft Security Bulletin MS03-034

Technical description:

Subsequent to the original release of this bulletin Microsoft extended the support of Windows NT Workstation 4.0 and Windows 2000 Service Pack 2. A security update is now available from Microsoft Product Support Services for customers running these operating systems. Contact Microsoft Product Support Services to obtain these additional security updates.

Network basic input/output system (NetBIOS) is an application programming interface (API) that can be used by programs on a local area network (LAN). NetBIOS provides programs with a uniform set of commands for requesting the lower-level services required to manage names, conduct sessions, and send datagrams between nodes on a network.

This vulnerability involves one of the NetBT (NetBIOS over TCP) services, namely, the NetBIOS Name Service (NBNS). NBNS is analogous to DNS in the TCP/IP world and it provides a way to find a system's IP address given its NetBIOS name, or vice versa.

Under certain conditions, the response to a NetBT Name Service query may, in addition to the typical reply, contain random data from the target system's memory. This data could, for example, be a segment of HTML if the user on the target system was using an Internet browser, or it could contain other types of data that exist in memory at the time that the target system responds to the NetBT Name Service query.

An attacker could seek to exploit this vulnerability by sending a NetBT Name Service query to the target system and then examine the response to see if it included any random data from that system's memory.

If best security practices have been followed and port 137 UDP has been blocked at the firewall, Internet based attacks would not be possible.

Mitigating factors:

• Any information disclosure would be completely random.
• By default, the Internet Connection Firewall (ICF), which is available with Windows XP and Windows Server 2003, blocks the ports that are used by NetBT.
• To exploit this vulnerability, an attacker would have to be able to send a specially-crafted NetBT request to port 137 on the target system and then examine the response to see whether any random data from that system's memory is included. In intranet environments, these ports are usually accessible, but systems that are connected to the Internet usually have these ports blocked by a firewall.

Severity Rating:

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0661

Tested Versions:

Microsoft tested Windows NT Workstation 4.0, Windows NT Server 4.0, Windows NT Server 4.0 Terminal Server Edition, Windows 2000, Windows Millennium Edition, Windows XP, and Windows Server 2003 to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Why has Microsoft issued new security updates for Windows NT Workstation 4.0 and Windows 2000 Service Pack 2?
Subsequent to the original release of this bulletin Microsoft extended the support of Windows NT Workstation 4.0 and Windows 2000 Service Pack 2. A security update is now available from Microsoft Product Support Services for customers running these operating systems .Contact Microsoft Product Support Services to obtain these additional security updates.

What's the scope of the vulnerability?
This is an Information Disclosure vulnerability that could enable an attacker to receive arbitrary or random data from the memory of another computer system that is on a network.
Under certain conditions, the response to a NetBT Name Service query may, in addition to the normal reply, contain random data from the target system's memory. This data could, for example, be a segment of HTML if the user on the target system were using an Internet browser at the time that the target system responds to the NetBT Name Service query. It could also contain other types of data, depending on what data exists in memory at the time that the target system responds to the NetBT Name Service query. To exploit the vulnerability, the attacker must be able to access the target system over NetBT.
The potential information disclosure cannot be directed or controlled. Any data that an attacker might receive would be very arbitrary in its nature because the information disclosure is limited to random segments of data that are in memory.
An attacker could increase the probability of this memory disclosure by repeatedly sending NetBT Name Service queries to the system. However, the information that could be disclosed would still be random and would depend on how the user was using their system at the time of the attack.

What is NetBIOS?
NetBIOS is a set of networking services for computer networking. NetBIOS can be implemented on top of a number of different networking protocols, such as TCP/IP.

What is NetBT?
NetBT is the protocol that describes how NetBIOS services are provided over a TCP/IP network. For more information, visit the following Microsoft Web site: NetBIOS over TCP/IP (NetBT) concepts

What causes the vulnerability?
If the network datagram (also referred to as a packet) requires padding, the padding should be blank. A vulnerability results because of a flaw in NetBT that can cause arbitrary data to be used for padding instead of blank data.

What is a datagram?
A datagram is a self-contained, independent piece of data that carries sufficient information to be routed from the source to the destination computer without relying on earlier exchanges between these source and destination over the transporting network. In short, a datagram is what TCP/IP divides files and other types of content into before it routes it over a particular network.

What is wrong with NetBT?
There is a flaw in the way that NetBT pads datagrams. When NetBT constructs Name Service replies it allocates a larger buffer to contain the information that is required for the response. This buffer is not properly initialized before it is used to make sure that it is blank. NetBT will write only the amount of data that is required for the response to the buffer but NetBT will read all of the contents of the buffer when it sends the response to the requesting system. As a result, the padding-the difference between the data written to and then read from the buffer-could be arbitrary data from a previous memory operation because the buffer was not first initialized.

What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to read some of the content of a target system's memory by examining the network for NetBT Name Service query replies. The attacker would have no way to determine what memory content would be disclosed, nor could an attacker force particular data to be exposed.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by sending NetBT Name Service queries to a target system and then examining the responses for arbitrary data from the target system's memory.

How much data could be disclosed?
The amount of data that may be disclosed is small; typically the padding that is required is 15 bytes or less.

Workarounds:

Are there any workarounds that I can use to help block the exploitation of this vulnerability while I test or evaluate the patch?
Yes. Although Microsoft urges all customers to apply the patch there are a number of workarounds that you can apply in the interim to help block exploitation of this vulnerability. There is no guarantee that the workarounds will block all possible attack vectors.
Note that these workarounds should be considered temporary measures because they only help block paths of attack instead of correcting the underlying vulnerability.

• Block TCP and UDP on port 137 at your firewall on the affected machines The NetBT Name Service uses this port. Blocking TCP and UDP at the firewall will help prevent systems that are behind the firewall from being attacked by attempts to exploit these vulnerabilities. Use Internet Connection Firewall (which is only available with Windows XP and Windows Server 2003). If you use the Internet Connection Firewall that is included with Windows XP or Windows Server 2003 to help protect your Internet connection, it will, by default block inbound NetBT traffic from the Internet. For more information about how to enable the ICF, and for information about other options that are available to you, visit the Protect Your PC Web site.
• Block the affected port by using an IPSec filter on the affected machines You can help to secure network communications on Windows 2000-based computers if you use Internet Protocol security (IPSec). For more information about IPSec and how to apply filters, see the following Microsoft Knowledge Base article 313190 and 813878
• Disable NetBIOS over TCP/IP You can also disable NetBT on Windows 2000, Windows XP, and Windows Server 2003. For more information about how to do this, and for information about what might be affected by doing this, visit the following Microsoft Web site: NetBIOS over TCP/IP (NetBT).

What does the patch do?
The patch eliminates the vulnerability by making sure that NetBT correctly initializes the affected buffer.

Download locations for this patch

• Windows Server 2003
• Windows Server 2003 64 bit Edition
• Windows XP
• Windows XP 64 bit Edition
• Windows 2000
• Windows NT Server 4.0
• Windows NT Server 4.0, Terminal Server Edition

Note Customers running Windows NT Workstation 4.0 or Windows 2000 Service Pack 2 should contact Microsoft Product Support Services to obtain this additional security update