Security Bulletin

Microsoft Security Bulletin MS03-007 - Critical

Unchecked Buffer In Windows Component Could Cause Server Compromise (815021)

Published: March 17, 2003 | Updated: September 18, 2003

Version: 3.4

Originally posted: March 17, 2003
Updated: May 30, 2003

Summary

Who should read this bulletin:  Systems administrators running Microsoft ® Windows ® NT 4.0, Windows 2000, and Windows XP.

Impact of vulnerability:  Run code of attacker's choice

Maximum Severity Rating:  Critical

Recommendation:  Systems administrators should apply the patch immediately

End User Bulletin: An end user version of this bulletin is available at: https:

Affected Software:

• Microsoft Windows NT 4.0
• Microsoft Windows NT 4.0 Terminal Server Edition
• Microsoft Windows 2000
• Microsoft Windows XP

Not Affected Software:

• Microsoft Windows Server 2003

General Information

Technical details

Technical description:

Microsoft originally released this security bulletin on March 17, 2003. At that time, Microsoft was aware of a publicly available exploit that was being used to attack Windows 2000 Servers running IIS 5.0. The attack vector in this case was WebDAV although the underlying vulnerability was in a core operating system component, ntdll.dll. Microsoft issued a patch to protect Windows 2000 customers shortly afterwards, but also continued to investigate the underlying vulnerability. During the course of that investigation, Microsoft found that Windows NT 4.0 also contains the underlying vulnerability in ntdll.dll, however it does not support WebDAV and therefore the known exploit was not effective against Windows NT 4.0. In addition, Microsoft has recently been made aware of this vulnerability as well in Windows XP. However, like Windows NT 4.0, Windows XP does not install Internet Information Services (IIS) by default. Microsoft has now released patches for Windows NT 4.0 and Windows XP.

Microsoft Windows 2000 supports the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol. WebDAV, defined in RFC 2518, is a set of extensions to the Hyper Text Transfer Protocol (HTTP) that provide a standard for editing and file management between computers on the Internet. A security vulnerability is present in a Windows component used by WebDAV and results because a core operating system component, ntdll.dll, contains an unchecked buffer.

An attacker could exploit the vulnerability by sending a specially formed HTTP request to a machine running Internet Information Server (IIS). The request could cause the server to fail or to execute code of the attacker's choice. The code would run in the security context of the IIS service (which, by default, runs in the LocalSystem context).

Although Microsoft has supplied a patch for this vulnerability and recommends all affected customers install the patch immediately, additional tools and preventive measures have been provided that customers can use to block the exploitation of this vulnerability while they are assessing the impact and compatibility of the patch. These temporary workarounds and tools are discussed in the "Workarounds" section in the FAQ below.

Mitigating factors:

• URLScan, which is a part of the IIS Lockdown Tool will block this attack in its default configuration
• The vulnerability can only be exploited remotely if an attacker can establish a web session with an affected server
• Windows NT 4.0 and Windows XP do not install Internet Information Services by default.
• Windows NT 4.0 does not support WebDAV

Severity Rating:

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0109

Tested Versions:

Microsoft tested Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003, to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

Why has Microsoft reissued this bulletin?
Microsoft first issued this bulletin on March 17, 2003. At that time, Microsoft was aware of a publicly available exploit that was being targeted against Windows 2000 servers running IIS. The underlying vulnerability was in a core operating system component, ntdll.dll, but WebDAV was being used as the attack vector. Microsoft responded and issued this bulletin and a patch to protect Windows 2000 customers. Microsoft continued to investigate the issue and determined that the underlying vulnerability in ntdll.dll also existed in Windows NT 4.0. Subsequent to this bulletin first being issued, Microsoft updated the bulletin to provide a fix for the underlying vulnerability in Windows NT 4.0. Further investigations identified that the underlying vulnerability in ntdll.dll also exists in Windows XP and Microsoft has now released a Windows XP patch with this bulletin. WebDAV is not supported in Windows NT 4.0 and therefore could not be used as an attack vector, and both Windows NT 4.0 and Windows XP do not install IIS by default. However Windows NT 4.0 and Windows XP are still vulnerable to other attacks, in particular in cases where an attacker could log on interactively to the system.

Why has Microsoft changed the information in the Caveats section of this bulletin?
Microsoft was made aware that some Windows 2000 customers who had received a hotfix from Product Support Services experienced stop errors on boot after applying the patch released for this bulletin. We've assessed this issue and now know that it only occurs under a specific set of circumstances. A series of Windows 2000 hotfixes that were only available through Product Support Services and were issued between December 2001 and February 2002 were incompatible with the patch for this vulnerability. Customers who are running one of those 12 hotfixes on Windows 2000 Service Pack 2 will experience a stop error on reboot after applying this patch. More information on how to determine if you have installed a hotfix that is incompatible with this patch is available in the Addition Information section under Caveats. Customers who are running Windows 2000 Service Pack 3 or are not running one of these hotfixes will not encounter this problem.

I'm concerned about the failure described above that affects certain Windows 2000 Service Pack 2 systems, but I still need to apply the patch. What can I do?
There are a number of options:

• Apply the Windows 2000 patch from MS03-013 - that patch supercedes the patch in this bulletin as well as removing the file dependency that was causing the failure described above. If you have not already applied the MS03-007 patch from this bulletin, Microsoft recommends you apply the MS03-013 patch as it also corrects an additional vulnerability.
• Apply Windows 2000 Service Pack 3 before apply the patch. Windows 2000 SP3 does not contain the file dependency that cause the failure discussed above.
• Contact Microsoft Product Support Services. The failure described above can only be encountered on Windows 2000 Service Pack 2 systems that are also running a series of Post-SP2 hotifxes that were only available through Product Support Services.

The MS03-013 Security Bulletin discusses a performance issue with the Windows XP SP1 version of that patch. Does that performance issue affect the Windows 2000 patch for MS03-013 also?
No, the performance issue discussed in MS03-013 only affects Windows XP SP1 systems. The Windows 2000 patch for MS03-013 corrects the file dependency problem that caused the failure described above with the MS03-007 patch as well as correcting an additional security vulnerability described in MS03-013. It is not affected by the same performance problem as the Windows XP SP1 patch in MS03-013.

What's the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could gain complete control over an affected web server. This would give the attacker the ability to take any desired action on the server, including changing web pages, reformatting the hard drive or adding new users to the local administrators group.

What causes the vulnerability?
The vulnerability results because of an unchecked buffer in a component of Windows, Ntdll.dll, that can be called using WebDAV or can be accessed locally. By sending a specially constructed request through WebDAV, an attacker could cause code to run on a web server in the Local System security context. In the case of Windows NT 4.0, an attacker would need to use another attack vector such as one that involved logging on to the system interactively.

What is WebDAV?
WebDAV is an industry standard extension to the HTTP specification. The "DAV" in "WebDAV" stands for "distributed authoring and versioning." WebDAV adds a capability for authorized users to remotely add and manage content on a web server. WebDAV is supported in Windows 2000.

What's wrong with the way IIS 5.0 handles WebDAV requests?
WebDAV uses IIS to pass requests to and from Windows 2000. When IIS receives a WebDAV request, it typically processes the request and then acts on it. However, if the request is formed in a particular way, a buffer overrun can result because one of the Windows components called by WebDAV does not correctly check parameters.

Can the vulnerability be exploited on Windows NT 4.0 through IIS 4.0?
No. WebDAV isn't supported in IIS 4.0, so the ability for an attacker to exploit the vulnerability doesn't exist. An attacker could however exploit the underlying vulnerability through another attack vector such as one that required logging on to the system interactively

Can the vulnerability be exploited on Windows XP through IIS 5.1?
No. Although WebDAV is supported in IIS 5.1 if it is installed by a user, the underlying Windows XP version of ntdll.dll is not susceptible to the WebDAV attack vector, so the ability for an attacker to exploit the vulnerability is not present. However, even if IIS were not installed, an attacker could exploit the underlying vulnerability through another attack vector such as one that required logging on to the system interactively.

If I have confirmed I am not running IIS 5.0 should I still install the patch?
Yes. Disabling or modifying IIS 5.0 will still leave the vulnerable Windows component on the system. All customers running Windows 2000 should install the patch.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by sending a specially formed WebDAV request to a web server running IIS 5.0. An attacker could also look to exploit this vulnerability by logging onto the system interactively and accessing the affected component, ntdll.dll locally.

Who could exploit the vulnerability?
In the case of the WebDAV attacker vector, any user who could deliver a WebDAV request to an affected web server could attempt to exploit the vulnerability. Because WebDAV requests travel over the same port as HTTP (normally port 80), this in essence means that any user who could establish a connection with an affected server could attempt to exploit the vulnerability. It could also be possible to access the affected component through another vector, such as one that would involve logging onto the system interactively or by using another application similar to WebDAV that passed parameters to the vulnerable component either locally or remotely.

What would this allow an attacker to do?
If an attacker were able to run code with Local System privileges on an affected system, the attacker would be able to take any action on the system, including installing programs, viewing changing or deleting data, or creating new accounts with full privileges.

How do I know if I am running IIS?
IIS 5.0 is installed by default on all server versions of Windows 2000. It is not installed on Windows 2000 Professional by default. To check if IIS is installed on your system, carry out the following: Go to "Start | Settings | Control Panel | Administrative Tools | Services". If the "World Wide Web Publishing" service is listed then IIS is installed.

What products does IIS 5.0 ship with?
Internet Information Services 5.0 ships as part of Windows 2000 Datacenter Server, Advanced Server, Server and Professional.

Does IIS 5.0 run by default?
IIS 5.0 runs by default on all Windows 2000 server products. It does not run by default on Windows 2000 Professional.

Is WebDAV enabled by default on IIS 5.0?
Yes, although it can be disabled by following the steps mentioned in the Workarounds section below.

Workarounds

Are there any workarounds that can be used to block exploitation of this vulnerability while I am testing or evaluating the patch?
Yes. Although Microsoft urges all customers to apply the patch at the earliest possible opportunity, there are a number of workarounds that can be applied to block the WebDAV request used to exploit this vulnerability in the interim. In addition, Microsoft is providing tools and documentation to deploy these workarounds more easily. It should be noted that these workarounds should be considered temporary measures as they simply block the path of attack rather than correcting the underlying vulnerability. The following sections are intended to provide you with information to protect your computer from attack. Each section describes the workarounds that you may wish to use depending on your computer's configuration.

• If you do not require IIS on your computer:

  IIS can be disabled by running IIS lockdown tool. To download the IIS lockdown tool go to the following website, IIS Lockdown Tool.

  Alternatively, you can also remove IIS by performing the steps listed in Knowledge Base Article 321141.

• If you require IIS but do not need WebDAV enabled:

  WebDAV provides a standard for editing and file management between computers on the Internet. If you are not using WebDAV, you can disable it by running the IIS Lockdown tool and specifying to the tool that you do not use WebDAV. To download the IIS lockdown tool go to the following website, IIS Lockdown Tool.

  Note that while the IIS Lockdown tool prevents the successful execution of this and many other attacks, it may interfere with the functioning of your web server under certain circumstances. While it is possible to limit your use of the IIS Lockdown tool to disabling WebDAV, you should consider applying all of the lockdown including URLScan. Information on using the IIS lockdown tool is provided at the following location:

  https://support.microsoft.com/default.aspx?scid=kb;EN-US;325864

  You may also disable WebDAV by following the instructions listed in the Microsoft Knowledge Base article at:

  </https:>https:

• If you require the use of WebDAV on your computer:

  There are a number of workarounds that can be applied to block the request used to exploit this vulnerability and retain WebDAV functionality if you are using it.

  • Customers that cannot deploy the IIS lockdown tool or URLScan to their web servers, can restrict the buffer used by IIS to receive the request that can be used to exploit this vulnerability. Microsoft has provided the URL Buffer Size Registry Tool to automatically set the registry key that will restrict the buffer. This tool can be run on Web Servers running Windows 2000 to protect against attacks that would attempt to exploit this vulnerability. The tool can be run locally on the web server to be protected, or it can be applied remotely to multiple web servers by a user who has administrative access to the servers. Information on the URL Buffer Size Registry Tool as well as additional workaround tools is located in the following Knowledge Base Article:

    </https:>https:

    The URL Buffer Size Registry tool can be run on systems running Windows 2000 Service Pack 2 or Service Pack 3. In addition, the registry change can be made manually by following the instructions in the following Knowledge Base article:

    </https:>https:

    Note that Customers should evaluate the maximum buffer size that is practical for their environment and set that maximum value, but in any case the buffer should be set to a size less than 64K bytes. Microsoft recommends 16K as a reasonable value. 16k is the limit that will automatically be set by the URL Buffer Size Registry tool.

  • URLScan, which is installed by the IIS Lockdown tool, will also block the web request that can be used to exploit this vulnerability. You can obtain the URLScan tool from:

    </https:>https:

    Note that while the IIS Lockdown tool prevents the successful execution of this and many other attacks, it may interfere with the functioning of your web server under certain circumstances. While it is possible to limit your use of the IIS Lockdown tool to installation of URLScan, you should consider applying all of the lockdown including URLScan.

    Information on customizing and configuring URLScan can be found at the following location:

    https://support.microsoft.com/default.aspx?scid=kb;[LN];326444

    Information on using the IIS lockdown tool is provided at the following location:

    https://support.microsoft.com/default.aspx?scid=kb;EN-US;325864

What does the patch do?

The patch corrects the issue by changing the method by which the affected Windows component accepts requests.

Patch availability

Download locations for this patch

• Microsoft Windows NT 4.0:
  • All except NEC and Chinese - Hong Kong
  • Japanese NEC
  • Chinese - Hong Kong
• Windows NT 4.0, Terminal Server Edition:
  • All
• Microsoft Windows 2000:
  • All except Japanese NEC
  • Japanese NEC
• Microsoft Windows XP:
  • 32-bit Edition
  • 64-bit Edition

Additional information about this patch

Installation platforms:

Windows NT 4.0:

This patch can be installed on systems running Windows NT 4.0 Service Pack 6a.

Windows 2000:

This patch can be installed on systems running Windows 2000 Service Pack 2 or Service Pack 3.

Windows XP:

This patch can be installed on systems running Windows XP Gold or Service Pack 1.

Inclusion in future service packs:

The fix for this issue will be included in Windows 2000 Service Pack 4 and Windows XP Service pack 2.

Reboot needed: Yes

Patch can be uninstalled: Yes

Superseded patches: None.

Verifying patch installation:

• Windows NT 4.0:

  To verify that the patch has been installed on the machine, confirm that all files listed in the file manifest in Knowledge Base article 815021 are present on the system.

• Windows NT 4.0 Terminal Server Edition:

  To verify that the patch has been installed on the machine, confirm that all files listed in the file manifest in Knowledge Base article 815021 are present on the system.

• Windows 2000:

  To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q815021.

  To verify the individual files, use the date/time and version information provided in the following registry key:

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q815021\Filelist.

• Windows XP Gold:

  To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q815021.

  To verify the individual files, use the date/time and version information provided in the following registry key:

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q815021\Filelist.

• Windows XP SP1:

  To verify that the patch has been installed on the system confirm that the following registry key has been created on the system:

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q815021. To verify the individual files, use the date/time and version information provided in the following registry key:

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q815021\Filelist.

Caveats:

If you are running Windows 2000 SP2, before installing this patch please check the version of ntoskrnl.exe on your system. To verify the version of ntoskrnl.exe on your system, perform the following steps:

1. Browse to the %windir%\system32 directory
2. Right-click ntoskrnl.exe
3. Choose properties.

The version information is located on the 'version' tab.

Versions of ntoskrnl.exe between 5.0.2195.4797 and 5.0.2195.4928 (inclusive) are not compatible with this patch. These versions were only distributed with Product Support Services hotfixes.

If the patch for this issue is installed on a system with one of these versions of ntoskrnl.exe, the machine will fail on the first reboot with a Stop 0x00000071 message and will have to be recovered using the Windows 2000 recovery console and the backup copy of ntdll.dll stored in the "\winnt\$NTUninstallQ815021$" directory.

To update a system with a version of ntoskrnl.exe distributed from Product Support Services, you must first contact PSS before applying this patch. Information on contacting Product Support Services can be found at:

https://support.microsoft.com

Alternatively you can upgrade to Windows 2000 SP3 prior to installing this patch or apply the Windows 2000 patch from MS03-013, which superceeds this patch and corrects the problem described above.

Localization:

Localized versions of this patch are available at the locations discussed in "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

• Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
• Patches for consumer platforms are available from the WindowsUpdate web site

Other information:

Acknowledgments

Microsoft thanks nesumin from :: Operash :: for reporting the Windows XP vulnerability to us and working with us to protect customers.

Support:

• Microsoft Knowledge Base article 815021 discusses this issue. Additional Knowledge Base articles can be found on the Microsoft Online Support web site.
• Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

• V1.0 (March 17, 2003): Bulletin Created.
• V1.1 (March 18, 2003): Added new information in the Caveats under in the Additional Information section, clarified affected Windows component throughout the bulletin, added a question regarding IIS 5.0 to the Frequently Asked Questions section, added a question regarding changes to the Caveats in the Additional Information section to the Frequently Asked Questions section.
• V2.0 (April 23, 2003): Updated to include details of NT 4.0 patch.
• V2.1 (April 24, 2003): Updated to include download link for NT4 package for Japanese NEC
• V2.2 (April 24, 2003): Provided additional clarification in FAQ regarding supercedence of Windows 2000 patch by the patch in MS03-013.
• V3.0 (May 28, 2003): Updated to include details of Windows XP patch.
• V3.1 (May 28, 2003): Updated to include correct Windows NT 4.0 and Windows XP verification keys.
• V3.2 (May 28, 2003): Updated frequently asked questions section regarding IIS 5.1
• V3.3 (May 30, 2003): Updated acknowledgments section.
• V3.4 (September 18, 2003): Updated to include Windows XP SP1 verification keys.

Built at 2014-04-18T13:49:36Z-07:00 </https:>