• Article

Security Bulletin

Microsoft Security Bulletin MS03-024 - Important

Buffer Overrun in Windows Could Lead to Data Corruption (817606)

Published: July 09, 2003 | Updated: May 19, 2004

Version: 1.4

Originally posted: July 09, 2003
Updated: May 19, 2004
Version: 1.4

Summary

Who should read this bulletin:  Customers using Microsoft® Windows® NT, Microsoft Windows 2000, or Microsoft Windows XP

Impact of vulnerability:  Allow an attacker to execute code of their choice

Maximum Severity Rating:  Important

Recommendation:  Administrators should consider installing the patch.

Affected Software:

  • Microsoft Windows NT Workstation 4.0
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Server 4.0, Terminal Server Edition
  • Microsoft Windows 2000
  • Microsoft Windows XP

Not Affected Software:

  • Microsoft Windows Server 2003

General Information

Technical details

Technical description:

Subsequent to the original release of this bulletin Microsoft extended the support of Windows NT Workstation 4.0 and Windows 2000 Service Pack 2. The existing Windows NT 4.0 Server security update will install successfully on Windows NT 4.0 Workstation and is officially supported on that operating system version. A security update is now available from Microsoft Product Support Services for customers running Windows 2000 Service Pack 2. Contact Microsoft Product Support Services to obtain the Windows 2000 Service Pack 2 security update

Server Message Block (SMB) is the Internet Standard protocol that Windows uses to share files, printers, serial ports, and to communicate between computers using named pipes and mail slots. In a networked environment, servers make file systems and resources available to clients. Clients make SMB requests for resources, and servers make SMB responses in what's described as a client server request-response protocol.

A flaw exists in the way that the server validates the parameters of an SMB packet. When a client system sends an SMB packet to the server system, it includes specific parameters that provide the server with a set of "instructions." In this case, the server is not properly validating the buffer length established by the packet. If the client specifies a buffer length that is less than what is needed, it can cause the buffer to be overrun.

By sending a specially crafted SMB packet request, an attacker could cause a buffer overrun to occur. If exploited, this could lead to data corruption, system failure, or-in the worst case-it could allow an attacker to run the code of their choice. An attacker would need a valid user account and would need to be authenticated by the server to exploit this flaw.

Mitigating factors:

  • Windows Server 2003 is not affected by this vulnerability.
  • By default, it is not possible to exploit this flaw anonymously. The attacker would have to be authenticated by the server prior to attempting to send a SMB packet to it.
  • Blocking port 139/445 at the firewall will prevent the possibility of an attack from the Internet.

Severity Rating:
Windows NT Workstation 4.0 Important
Windows NT Server 4.0 Important
Windows NT Server 4.0, Terminal Server Edition Important
Windows 2000 Important
Windows XP Professional Important

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0345

Tested Versions:

Microsoft tested Windows NT Workstation 4.0, Windows NT Server 4.0, Windows NT Server 4.0, Terminal Services Edition, Windows 2000, Windows XP and Windows Server 2003 to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

Why has Microsoft updated this bulletin?
Subsequent to the original release of this bulletin Microsoft extended the support of Windows NT Workstation 4.0 and Windows 2000 Service Pack 2. The existing Windows NT 4.0 Server security update will install successfully on Windows NT 4.0 Workstation and is officially supported on that operating system version. A security update is now available from Microsoft Product Support Services for customers running Windows 2000 Service Pack 2. Contact Microsoft Product Support Services to obtain the Windows 2000 Service Pack 2 security update.

What's the scope of the vulnerability?
This is a buffer overrun vulnerability that could lead to data corruption, system failure or allow an attacker to run the code of their choice. To successfully exploit this flaw, an attacker would have to first be authenticated by the server. By default, it is not possible to exploit this flaw anonymously.

What causes the vulnerability?
The vulnerability results because of insufficient validation by the system of the buffer size for certain incoming SMB packets. SMB is a client to server based protocol and when the client system sends an SMB command to the server, it should validate the parameters set in the packet and respond accordingly. In the case of this flaw, the recipient system doesn't validate the buffer size necessary before responding. This could cause a buffer overrun which could lead to data corruption, system failure or allow an attacker to run the code of their choice.

What is SMB?
SMB (Server Message Block)-and its follow-on, Common Internet File System (CIFS)-is the Internet Standard protocol that Windows uses to share files, printers, serial ports, and also to communicate between computers using named pipes and mail slots. In a networked environment, servers make file systems and resources available to clients. Clients make SMB requests for resources and servers make SMB responses in what is described as a client server, request-response protocol.

Does this vulnerability affect CIFS as well?
Common Internet File System (CIFS) is an Internet Standard protocol. The vulnerability described here resides specifically in Microsoft's implementation of the protocol and not the protocol itself.

What's wrong with Microsoft's implementation of the protocol?
There is a flaw in the way that the server validates the parameters of an SMB packet. When a client system sends an SMB packet to the server system, it includes specific parameters that provide the server with a set of "instructions." In this case, the server does not properly validate the buffer length established by the packet. If the client specifies a buffer length less than what is needed, it can cause the buffer to be overrun. This could result in random data being written to memory, which could cause data corruption or system failure, or it could also allow an attacker to run the code of their choice.

What could this vulnerability enable an attacker to do?
If an attacker were able to successfully exploit this vulnerability, they could cause random areas of memory to be overwritten. The resulting effect of this could be data corruption, system failure or allow an attacker to run the code of their choice.

What sort of data would be corrupted?
Essentially, any data in memory could be randomly overwritten. In the worst case, system memory could be overwritten causing the server to fail.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by creating a specifically malformed SMB packet and sending it to the server. The attacker would first require a valid user name and password to be authenticated by the server. By default, there is no means to anonymously exploit this vulnerability.

What does the patch do?
The patch eliminates the vulnerability by implementing proper validation of the parameters set on SMB packets.

Patch availability

Download locations for this patch

Note Customers running Windows 2000 Service Pack 2 should contact Microsoft Product Support Services to obtain this additional security update

Additional information about this patch

Installation platforms:

This patch can be installed on systems running:

  • Windows NT 4.0:

    The Windows NT 4.0 patch can be installed on systems running Windows NT 4.0 Workstation Service Pack 6a or Windows NT Server 4.0 Service Pack 6a.

  • Windows NT Server 4.0, Terminal Server Edition:

    The Windows NT Server 4.0, Terminal Server Edition patch can be installed on systems running Windows NT Server 4.0, Terminal Server Edition Service Pack 6.

  • Windows 2000:

    The Windows 2000 patch can be installed on systems running Windows 2000 Service Pack 3.

  • Windows XP:

    The patch for Windows XP can be installed on systems running Windows XP Gold or Windows XP Service Pack 1.

Note Customers running Windows 2000 Service Pack 2 should contact Microsoft Product Support Services to obtain this additional security update

Inclusion in future service packs:

  • The fix for this issue is included in Windows 2000 Service Pack 4.
  • The fix for this issue will be included in Windows XP Service Pack 2.

Reboot needed: Yes

Patch can be uninstalled: Yes

Superseded patches: None.

Verifying patch installation:

  • Windows NT Workstation 4.0 or Windows NT Server 4.0: To verify that the patch has been installed on the machine, confirm that all files listed in the file manifest in Knowledge Base article 817606 are present on the system.

  • Windows NT Server 4.0, Terminal Server Edition: To verify that the patch has been installed on the machine, confirm that all files listed in the file manifest in Knowledge Base article 817606 are present on the system.

  • Windows 2000: To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q817606.

    To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q817606\Filelist.

  • Windows XP:

    • If installed on Windows XP Gold:

      To verify that the patch has been installed, confirm that the following registry key has been created on the machine: HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q817606.

      To verify the individual files, use the date/time and version information provided in the following registry key: HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q817606\Filelist.

    • If installed on Windows XP Service Pack 1:

      To verify that the patch has been installed, confirm that the following registry key has been created on the machine: HKLM\Software\Microsoft\Updates\Windows XP\SP2\Q817606.

      To verify the individual files, use the date/time and version information provided in the following registry key: HKLM\Software\Microsoft\Updates\Windows XP\SP2\Q817606\Filelist.

Caveats:

None

Localization:

Localized versions of this patch are available at the locations discussed in "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

  • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
  • Patches for consumer platforms are available from the WindowsUpdate web site

Other information:

Acknowledgments

Microsoft thanks Jeremy Allison and Andrew Tridgell, Samba Team for reporting this issue to us and working with us to protect customers.

Support:

  • Microsoft Knowledge Base article 817606 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
  • Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 July 09, 2003: Bulletin Created.
  • V1.1 July 10, 2003: Corrected patch verification registry keys. Modified patch listing for Windows 2000.
  • V1.2 September 18, 2003: Added "Windows 2000" in front of Service Pack 4 in section "Inclusion in future service packs"
  • V1.3 April 13, 2004: Added FAQ to inform customers about the availability of a security update for Windows NT Workstation 4.0 Service Pack 6a and Windows 2000 Service Pack 2.
  • V1.4 (May 19, 2004): Clarified the bulletin to explain that the existing Windows NT Server 4.0 security update is supported on Windows NT 4.0 Workstation systems.

Built at 2014-04-18T13:49:36Z-07:00