Security Bulletin

Microsoft Security Bulletin MS01-043 - Critical

NNTP Service Contains Memory Leak

Published: August 14, 2001 | Updated: June 13, 2003

Version: 1.2

Originally posted: August 14, 2001
Updated: June 13, 2003

Summary

Who should read this bulletin:
System administrators offering newsgroup services via Microsoft® Windows NT® 4.0, Windows® 2000, or Exchange 2000.

Impact of vulnerability:
Denial of service.

Recommendation:
System administrators should apply the patch immediately to affected systems.

Affected Software:

• Microsoft Windows NT 4.0
• Microsoft Windows 2000
• Microsoft Exchange 2000

General Information

Technical details

Technical description:

The NNTP (Network News Transport Protocol) service in Windows NT 4.0, Windows 2000, and Exchange 2000 contains a memory leak in a routine that processes news postings. Each time such a posting is processed that contains a particular construction, the memory leak causes a small amount of memory to no longer be available for use. If an attacker sent a large number of posts, the server memory could be depleted to the point at which normal service would be disrupted. An affected server could be restored to normal service by stopping and starting the IISAdmin service.

Exchange 5.5 contains an NNTP service, but it is not affected by the vulnerability. Exchange 2000 does not ship a separate NNTP service; instead, if NNTP is enabled, the native Windows 2000 NNTP service is used. As a result, Exchange 2000 servers that offer NNTP services should have the Windows 2000 patch applied to them.

Mitigating factors:

• Windows NT 4.0 does not ship with a native NNTP service. Instead, it must be installed as part of the Windows NT 4.0 Option Pack. (It does not install by default as part of the Option Pack).
• Windows 2000 Professional does not ship with a native NNTP service.
• Windows 2000 server products do ship with a native NNTP service, but it is not installed by default.
• The vulnerability would not enable an attacker to usurp any administrative control or compromise data on the machine.

Vulnerability identifier: CAN-2001-0543

Tested Versions:

Microsoft tested Windows NT 4.0, Windows 2000, Exchange 5.5 and Exchange 2000 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

What's the scope of this vulnerability?
This is a denial of service vulnerability. By repeatedly sending a news posting to an affected server, an attacker could degrade its performance, potentially to the point where the server would be unable to provide useful service. The vulnerability would not enable an attacker to compromise any data on the server, or to usurp any privileges on the machine. The administrator of an affected system could restore normal service by stopping and restarting the affected system service.

What causes the vulnerability?
The vulnerability results because the NNTP service in Windows NT 4.0 and Windows 2000 contains a memory leak. If a sufficient quantity of posting containing a particular malformation were received, it could deplete the available memory to the point where the server would be incapable of performing useful work.

What's NNTP?
NNTP (Network News Transfer Protocol) is an industry-standard protocol that specifies a method for posting, distributing, searching and archiving news articles via Internet-based servers. The vulnerability results because the NNTP implementation in Windows NT 4.0 and Windows 2000 contains a memory leak that could be used to disrupt the NNTP service.

What's a memory leak?
A memory leak is an implementation error that depletes the available memory on a system. As a process on a computer runs, it may need more or less memory, depending on exactly what it is doing from one minute to the next. When the process needs more memory, it requests it from the operating system; when it no longer needs the additional memory, it should return it to the operating system so it can be allocated to other processes. A memory leak occurs when a process doesn't correctly return memory to the operating system. Instead of becoming available for allocation to another process, the memory remains assigned to the process even though the process is no longer using it. This effectively makes the block of memory unavailable.

How does the memory leak happen in this case?
In the case of this vulnerability, the NNTP service has a memory leak that results when it processes a particular type of malformed news posting. Each time the service accepts such a posting, it requests memory from the operating system; however, it doesn't return the memory when it finishes handling the request.

What could an attacker do via this vulnerability?
An attacker could repeatedly send malformed news postings to an affected server in order to deplete its pool of available memory. As the server's memory pool was depleted, its performance would gradually slow. If the attack were sustained for a long enough period, the server could potentially be brought to a standstill and be unable to perform useful work.

Does the NNTP service run by default?
The answer varies by operating system.

• Windows NT 4.0 don't provide an NNTP service. NNTP support is provided via the Windows NT 4.0 Option Pack, but it does not install by default.
• Windows 2000 Professional doesn't provide an NNTP service.
• Windows 2000 server products do provide an NNTP service, but it is not installed or running by default.

If NNTP is installed and running, is it vulnerable??
Yes.

Exchange 5.5 and 2000 also offer NNTP services. Are they affected??
Exchange 5.5 is not affected by the vulnerability, as its implementation is independent of the ones in Windows NT 4.0 and Windows 2000 and doesn't contain the memory leak. On the other hand, Exchange 2000 uses the native Windows 2000 NNTP service, so if an Exchange 2000 server has been configured to provide NNTP services, it's affected by the vulnerability.

Would a successful attack via this vulnerability only disrupt NNTP services, or would other services on the system be affected as well?
Because the vulnerability depletes the memory pool that all services on the machine use, a successful attack via the vulnerability would affect the operation of all services on the machine, not just the terminal services. So, for instance, if the machine also hosted shared files, users might be unable to access them after the machine had been attacked.

Would this vulnerability enable the attacker to gain any privileges on the machine?
No. The sole effect of a successful attack via this vulnerability would be to prevent the server from operating normally. It wouldn't grant any privileges to the attacker, nor would it allow any data to be compromised.

How could an affected server be put back into service?
The server could be returned to normal service by stopping the IISAdmin service and restarting it.

Could this vulnerability be exploited from the Internet?
The vulnerability could be exploited by any user who could send postings to it. If the server accepts postings from the Internet, an Internet user could exploit the vulnerability.

I use Windows NT 4.0 Server, Terminal Server Edition. Could I be affected by this vulnerability?
No. The vehicle by which the NNTP service ships, the Windows NT 4.0 Option Pack, cannot be installed on terminal servers.

I visit news servers frequently from my home computer. Does this vulnerability affect me?
No. It only affects servers that offer NNTP services; it doesn't affect the client machines that visit them.

What does the patch do?
The patch eliminates the vulnerability by causing the NNTP service in Windows NT 4.0 and Windows 2000 to properly deallocate memory after processing a news posting.

Patch availability

Download locations for this patch

• Windows NT 4.0 Server and Server, Enterprise Edition:
  https://www.microsoft.com/download/details.aspx?FamilyId=71ED6722-E55A-41B5-8EF9-7FF5B2AEE40D&displaylang;=en

• Windows 2000 Server and Advanced Server:
  https://www.microsoft..com/downloads/details.aspx?FamilyId=DDD9AB2F-23A9-4A5E-9B02-CDA8D7DCE3DE&displaylang;=en

• Microsoft Windows 2000 Datacenter Server:
  Patches for Windows 2000 Datacenter Server are hardware-specific and available from the original equipment manufacturer.

  Note: Exchange 2000 servers that offer NNTP services should have the Windows 2000 patch applied to them.

Additional information about this patch

Installation platforms:

• The Windows NT 4.0 patch can be installed on systems running Windows NT 4.0 Service Pack 6a.
• The Windows 2000 patch can be installed on systems running Windows 2000 Service Pack 1 or Service Pack 2.

Inclusion in future service packs:

The fix for this issue will be included in Windows 2000 Service Pack 3 and Exchange 2000 Service Pack 2.

Reboot needed: Yes

Superseded patches: None.

Verifying patch installation:

Microsoft Windows NT 4.0:

• To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q303984.

• To verify the individual files, consult the file manifest in Knowledge Base article Q303984.

Microsoft Windows 2000:

• To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q303984.

• To verify the individual files, use the date/time and version information provided in the following registry key:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q303984\Filelist

Caveats:

None

Localization:

Localized versions of this patch are available at the locations discussed in "Obtaining other security patches".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

• Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
• Patches for consumer platforms are available from the WindowsUpdate web site.

Other information:

Acknowledgments

Microsoft thanks Aiden ORawe for reporting this issue to us and working with us to protect customers.

Support:

• Microsoft Knowledge Base article Q303984 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
• Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

• V1.0 (August 14, 2001): Bulletin Created.
• V1.1 (August 15, 2001): Bulletin updated to note that normal service could be restored by cycling the IISAdmin service, to note that the Exchange NNTP service is affected by the vulnerability, and to clarify whether NNTP is installed by default in Windows NT 4.0 and 2000.
• V1.2 (June 13, 2003): Updated download links to Windows Update.

Built at 2014-04-18T13:49:36Z-07:00