Export (0) Print
Expand All

Microsoft Security Bulletin MS03-001 - Critical

Unchecked Buffer in Locator Service Could Lead to Code Execution (810833)

Published: January 22, 2003 | Updated: October 28, 2003

Version: 1.1

Originally posted: January 22, 2003

Summary

Who should read this bulletin:
Customers using Microsoft® Windows® NT 4.0, Windows 2000, or Windows XP.

Impact of vulnerability:
Run code of the attacker's choice

Maximum Severity Rating:
Critical

Recommendation:
Customers running Windows NT 4.0 server or Windows 2000 server should apply the patch immediately. Customers who are running Windows NT 4.0 Workstation, Windows 2000 workstation, and Windows XP should install the patch at the earliest opportunity.

Affected Software:

  • Microsoft Windows NT 4.0
  • Microsoft Windows NT 4.0, Terminal Server Edition
  • Microsoft Windows 2000
  • Microsoft Windows XP

End User Bulletin:
An end user version of this bulletin is available at: http://www.microsoft.com/athome/security/update/bulletins/default.mspx

General Information

Technical description:

The Microsoft Locator service is a name service that maps logical names to network-specific names. It ships with Windows NT 4.0, Windows 2000, and Windows XP. By default, the Locator service is enabled only on Windows 2000 domain controllers and Windows NT 4.0 domain controllers; it is not enabled on Windows NT 4.0 workstations or member servers, Windows 2000 workstations or member servers, or Windows XP.

A security vulnerability results from an unchecked buffer in the Locator service. By sending a specially malformed request to the Locator service, an attacker could cause the Locator service to fail, or to run code of the attacker's choice on the system.

Mitigating factors:

  • The Locator service is not enabled by default on any affected versions of Windows with the exception of Windows 2000 domain controllers and Windows NT 4.0 domain controllers.
  • A properly-configured firewall would block the calls to the Locator service, which would protect an affected machine from an Internet-based attack.

Severity Rating:

Windows NT 4.0 (Workstations and Member Servers) Moderate
Windows NT 4.0 (Domain Controllers Only) Critical
Windows NT 4.0, Terminal Server Edition Moderate
Windows 2000 (Workstations and Member Servers) Moderate
Windows 2000 (Domain Controllers Only) Critical
Windows XP Moderate

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0003

Tested Versions:

Microsoft tested Windows NT 4.0, Windows 2000, and Windows XP to assess whether they are affected by this vulnerability. The Locator service was not available in versions of Windows prior to Windows NT 4.0.

What's the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could cause the Locator service to fail, or could cause code of the attacker's choice to be executed with system privileges.
The Locator service is not enabled by default except on Windows 2000 domain controllers and Windows NT 4.0 domain controllers. A properly-configured firewall would block the calls to the Locator service, which would protect an affected machine from an Internet-based attack.

What causes the vulnerability?
The vulnerability results because of an unchecked buffer in the Microsoft Locator service. If the Locator service was called using a specially malformed argument, it could have the effect of overrunning the buffer.

What is the Locator service?
The Microsoft Locator service is a name service that maps names to objects. The name is a logical name that is easy for users to recognize and use. The Locator service ships with Windows NT 4.0, Windows 2000, and Windows XP.

What is the Locator service used for?
A client that is going to make a Remote Procedure Call (RPC) can call the Locator service to resolve a logical name for a network object to a network-specific name for use in the RPC. For example, if a print server has the logical name "laserprinter", an RPC client could call the Locator service to find out the network-specific name that mapped to "laserprinter". The RPC client uses the network-specific name when it makes the RPC call to the service.
By default, the Locator service is only enabled on Windows 2000 domain controllers and Windows NT 4.0 domain controllers. An administrator could enable the Locator service on any Windows NT 4.0, Windows 2000, or Windows XP system.

What is a Remote Procedure Call?
A Remote Procedure Call is an interprocess communication technique which allows client/server software to communicate. RPC can be used in client/server applications based on Microsoft Windows operating systems and can also be used in heterogeneous network environments that include other operating systems.

What's wrong with Locator service?
There is a flaw in the way the Locator service handles certain parameter information that is passed to it. Specially malformed parameter data could be passed to the Locator service and could cause a buffer to be overrun.

What could this vulnerability enable an attacker to do?
If an attack were successful, this vulnerability could enable an attacker to cause the Locator service to fail, or to be able to run code on the system.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by forming an RPC call that would employ the Locator service to resolve a logical name, and using the RPC call to pass specially malformed data.
Because a properly configured firewall that blocked NetBIOS traffic would block access to the Locator service from the Internet, a successful attack would need to be launched from an organization's internal network.

Does the Locator service require authentication?
No, the system making the RPC request does not have to be authenticated by the system running the Locator service.

Could this vulnerability be exploited from the Internet?
A properly-configured firewall would block the calls to the Locator service, which would protect an affected machine from an Internet-based attack. An attacker would be much more likely to attempt to exploit this vulnerability from an organization's internal network.

How do I tell if the Locator service is enabled?
The status of the "Remote Procedure Call (RPC) Locator" service and how it is started (automatically or manually) can be viewed in the Control Panel. For Windows 2000 and Windows XP, use Control Panel | Administrative Tools | Services, and on Windows NT 4.0, use Control Panel | Services.
It is also possible to determine the status of the Locator service from the command line by entering:

net start

A list of services will be displayed. If "Remote Procedure Call (RPC) Locator" appears in the list, then the locator service is running.

Are there any applications that enables the locator service on member servers?
Yes - There are several applications, for example Microsoft Exchange Server, that enable the locator service on member servers. Microsoft recommends customers to install the patch at their earliest opportunity on all systems that have the locator service enabled.

If I am not using the Locator service, can I disable it?
Yes. An administrator can disable the Locator service by setting the RpcLocator service status to "disabled" in the services control panel.
The service can also be stopped via the command line using the sc.exe program, which ships with Windows XP and is included as part of the Windows 2000 Resource Kit. The following command will stop the service:

sc stop RpcLocator

To disable the service using the command line tool, use the following:

sc config RpcLocator start= disabled

What systems would be at greatest risk from this vulnerability?
Only Windows 2000 domain controllers and Windows NT 4.0 domain controllers have the Locator service enabled by default, so those would be the systems at greatest risk. The Locator service can be enabled on Windows NT 4.0, Windows NT 4.0, Terminal Server Edition, Windows 2000, and Windows XP.

What does the patch do?
The patch addresses the vulnerability by correctly handling the information passed to the RPC Locator service.

Download locations for this patch

Additional information about this patch

Installation platforms:

  • The Windows NT 4.0 patch can be installed on systems running Service Pack 6a.
  • The Windows NT 4.0, Terminal Server Edition patch can be installed on systems running Windows NT 4.0, Terminal Server Edition Service Pack 6.
  • The Windows 2000 patch can be installed on systems running Windows 2000 Service Pack 2 or Service Pack 3.
  • The patch for Windows XP can be installed on systems running Windows XP Gold or Service Pack 1.

Inclusion in future service packs:

The fix for this issue will be included in Windows 2000 Service Pack 4 and Windows XP Service Pack 2.

Reboot needed: Yes

Patch can be uninstalled: Yes

Superseded patches: None.

Verifying patch installation:

  • Windows NT 4.0:

    To verify that the patch has been installed on the machine, confirm that all files listed in the file manifest in Knowledge Base article 810833 are present on the system.

  • Windows NT 4.0 Terminal Server Edition:

    To verify that the patch has been installed on the machine, confirm that all files listed in the file manifest in Knowledge Base article 810833 are present on the system.

  • Windows 2000:

    To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q810833.

    To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q810833\Filelist.

  • Windows XP:
    • If installed on Windows XP Gold:

      To verify that the patch has been installed, confirm that the following registry key has been created on the machine: HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q810833.

      To verify the individual files, use the date/time and version information provided in the following registry key: HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q810833\Filelist.

    • If installed on Windows XP Service Pack 1:

      To verify that the patch has been installed, confirm that the following registry key has been created on the machine: HKLM\Software\Microsoft\Updates\Windows XP\SP2\Q810833.

      To verify the individual files, use the date/time and version information provided in the following registry key: HKLM\Software\Microsoft\Updates\Windows XP\SP2\Q810833\Filelist.

Caveats:

None

Localization:

Localized versions of this patch are available at the locations discussed in "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

  • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
  • Patches for consumer platforms are available from the WindowsUpdate web site

Other information:

Acknowledgments

Microsoft thanks David Litchfield of Next Generation Security Software Ltd. (http://www.nextgenss.com) for reporting this issue to us and working with us to protect customers.

Support:

  • Microsoft Knowledge Base article 810833 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
  • Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (January 22, 2003): Bulletin Created.
  • V1.1 (October 28, 2003): Updated bulletin to reflect recommendation for patching member servers

Built at 2014-04-18T13:49:36Z-07:00

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2015 Microsoft