Security Bulletin
Microsoft Security Bulletin MS03-034 - Low
Flaw in NetBIOS Could Lead to Information Disclosure (824105)
Published: September 03, 2003 | Updated: April 13, 2004
Version: 1.2
Originally posted: September 03, 2003
Updated: April 13, 2004
Version: 1.2
Summary
Who should read this bulletin: Customers using Microsoft® Windows®
Impact of vulnerability: Information disclosure
Maximum Severity Rating: Low
Recommendation: Users should evaluate whether to apply the security patch to affected systems.
End User Bulletin: An end user version of this bulletin is available at: https:.
Affected Software:
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Server 4.0®
- Microsoft Windows NT Server 4.0, Terminal Server Edition
- Microsoft Windows 2000
- Microsoft Windows XP
- Microsoft Windows Server™ 2003
Not Affected Software:
- Microsoft Windows Millennium Edition
General Information
Technical details
Technical description:
Subsequent to the original release of this bulletin Microsoft extended the support of Windows NT Workstation 4.0 and Windows 2000 Service Pack 2. A security update is now available from Microsoft Product Support Services for customers running these operating systems. Contact Microsoft Product Support Services to obtain these additional security updates.
Network basic input/output system (NetBIOS) is an application programming interface (API) that can be used by programs on a local area network (LAN). NetBIOS provides programs with a uniform set of commands for requesting the lower-level services required to manage names, conduct sessions, and send datagrams between nodes on a network.
This vulnerability involves one of the NetBT (NetBIOS over TCP) services, namely, the NetBIOS Name Service (NBNS). NBNS is analogous to DNS in the TCP/IP world and it provides a way to find a system's IP address given its NetBIOS name, or vice versa.
Under certain conditions, the response to a NetBT Name Service query may, in addition to the typical reply, contain random data from the target system's memory. This data could, for example, be a segment of HTML if the user on the target system was using an Internet browser, or it could contain other types of data that exist in memory at the time that the target system responds to the NetBT Name Service query.
An attacker could seek to exploit this vulnerability by sending a NetBT Name Service query to the target system and then examine the response to see if it included any random data from that system's memory.
If best security practices have been followed and port 137 UDP has been blocked at the firewall, Internet based attacks would not be possible.
Mitigating factors:
- Any information disclosure would be completely random.
- By default, the Internet Connection Firewall (ICF), which is available with Windows XP and Windows Server 2003, blocks the ports that are used by NetBT.
- To exploit this vulnerability, an attacker would have to be able to send a specially-crafted NetBT request to port 137 on the target system and then examine the response to see whether any random data from that system's memory is included. In intranet environments, these ports are usually accessible, but systems that are connected to the Internet usually have these ports blocked by a firewall.
Severity Rating:
| Windows NT Workstation 4.0 | Low |
| Windows NT Server 4.0 | Low |
| Windows NT Server 4.0, Terminal Server Edition | Low |
| Windows 2000 | Low |
| Windows XP | Low |
| Windows Server 2003 | Low |
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2003-0661
Tested Versions:
Microsoft tested Windows NT Workstation 4.0, Windows NT Server 4.0, Windows NT Server 4.0 Terminal Server Edition, Windows 2000, Windows Millennium Edition, Windows XP, and Windows Server 2003 to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.
Frequently asked questions
Why has Microsoft issued new security updates for Windows NT Workstation 4.0 and Windows 2000 Service Pack 2?
Subsequent to the original release of this bulletin Microsoft extended the support of Windows NT Workstation 4.0 and Windows 2000 Service Pack 2. A security update is now available from Microsoft Product Support Services for customers running these operating systems .Contact Microsoft Product Support Services to obtain these additional security updates.
What's the scope of the vulnerability?
This is an Information Disclosure vulnerability that could enable an attacker to receive arbitrary or random data from the memory of another computer system that is on a network.
Under certain conditions, the response to a NetBT Name Service query may, in addition to the normal reply, contain random data from the target system's memory. This data could, for example, be a segment of HTML if the user on the target system were using an Internet browser at the time that the target system responds to the NetBT Name Service query. It could also contain other types of data, depending on what data exists in memory at the time that the target system responds to the NetBT Name Service query. To exploit the vulnerability, the attacker must be able to access the target system over NetBT.
The potential information disclosure cannot be directed or controlled. Any data that an attacker might receive would be very arbitrary in its nature because the information disclosure is limited to random segments of data that are in memory.
An attacker could increase the probability of this memory disclosure by repeatedly sending NetBT Name Service queries to the system. However, the information that could be disclosed would still be random and would depend on how the user was using their system at the time of the attack.
What is NetBIOS?
NetBIOS is a set of networking services for computer networking. NetBIOS can be implemented on top of a number of different networking protocols, such as TCP/IP.
What is NetBT?
NetBT is the protocol that describes how NetBIOS services are provided over a TCP/IP network. For more information, visit the following Microsoft Web site: NetBIOS over TCP/IP (NetBT) concepts
What causes the vulnerability?
If the network datagram (also referred to as a packet) requires padding, the padding should be blank. A vulnerability results because of a flaw in NetBT that can cause arbitrary data to be used for padding instead of blank data.
What is a datagram?
A datagram is a self-contained, independent piece of data that carries sufficient information to be routed from the source to the destination computer without relying on earlier exchanges between these source and destination over the transporting network. In short, a datagram is what TCP/IP divides files and other types of content into before it routes it over a particular network.
What is wrong with NetBT?
There is a flaw in the way that NetBT pads datagrams. When NetBT constructs Name Service replies it allocates a larger buffer to contain the information that is required for the response. This buffer is not properly initialized before it is used to make sure that it is blank. NetBT will write only the amount of data that is required for the response to the buffer but NetBT will read all of the contents of the buffer when it sends the response to the requesting system. As a result, the padding-the difference between the data written to and then read from the buffer-could be arbitrary data from a previous memory operation because the buffer was not first initialized.
What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to read some of the content of a target system's memory by examining the network for NetBT Name Service query replies. The attacker would have no way to determine what memory content would be disclosed, nor could an attacker force particular data to be exposed.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by sending NetBT Name Service queries to a target system and then examining the responses for arbitrary data from the target system's memory.
How much data could be disclosed?
The amount of data that may be disclosed is small; typically the padding that is required is 15 bytes or less.
Workarounds:
Are there any workarounds that I can use to help block the exploitation of this vulnerability while I test or evaluate the patch?
Yes. Although Microsoft urges all customers to apply the patch there are a number of workarounds that you can apply in the interim to help block exploitation of this vulnerability. There is no guarantee that the workarounds will block all possible attack vectors.
Note that these workarounds should be considered temporary measures because they only help block paths of attack instead of correcting the underlying vulnerability.
- Block TCP and UDP on port 137 at your firewall on the affected machines The NetBT Name Service uses this port. Blocking TCP and UDP at the firewall will help prevent systems that are behind the firewall from being attacked by attempts to exploit these vulnerabilities. Use Internet Connection Firewall (which is only available with Windows XP and Windows Server 2003). If you use the Internet Connection Firewall that is included with Windows XP or Windows Server 2003 to help protect your Internet connection, it will, by default block inbound NetBT traffic from the Internet. For more information about how to enable the ICF, and for information about other options that are available to you, visit the Protect Your PC Web site.
- Block the affected port by using an IPSec filter on the affected machines You can help to secure network communications on Windows 2000-based computers if you use Internet Protocol security (IPSec). For more information about IPSec and how to apply filters, see the following Microsoft Knowledge Base article 313190 and 813878
- Disable NetBIOS over TCP/IP You can also disable NetBT on Windows 2000, Windows XP, and Windows Server 2003. For more information about how to do this, and for information about what might be affected by doing this, visit the following Microsoft Web site: NetBIOS over TCP/IP (NetBT).
What does the patch do?
The patch eliminates the vulnerability by making sure that NetBT correctly initializes the affected buffer.
Patch availability
Download locations for this patch
- Windows Server 2003
- Windows Server 2003 64 bit Edition
- Windows XP
- Windows XP 64 bit Edition
- Windows 2000
- Windows NT Server 4.0
- Windows NT Server 4.0, Terminal Server Edition
Note Customers running Windows NT Workstation 4.0 or Windows 2000 Service Pack 2 should contact Microsoft Product Support Services to obtain this additional security update
Additional information about this patch
Installation platforms:
This patch can be installed on systems running.
- Microsoft Windows NT Server 4.0 Service Pack 6a
- Microsoft Windows NT Server 4.0, Terminal Server Edition Service Pack 6
- Microsoft Windows 2000 Service Pack 4 or Windows 2000 Service Pack 3
- Microsoft Windows XP Gold and Windows XP Service Pack 1
- Microsoft Windows Server 2003
Note Customers running Windows NT Workstation 4.0 or Windows 2000 Service Pack 2 should contact Microsoft Product Support Services to obtain this additional security update
Inclusion in future service packs:
The fix for this issue will be included in Windows 2000 Service Pack 5, Windows XP Service Pack 2, and in Windows Server 2003 Service Pack 1.
Reboot needed: Yes
Patch can be uninstalled: Yes
Superseded patches: None.
Verifying patch installation:
Windows NT Workstation 4.0 or Windows NT Server 4.0
To verify that the patch has been installed on the machine, confirm that all the files that are listed in the file manifest in Microsoft Knowledge Base article 824105 are present on the system.
Windows NT Server 4.0, Terminal Server Edition
To verify that the patch has been installed on the machine, confirm that all the files that are listed in the file manifest in Microsoft Knowledge Base article 824105 are present on the system.
Windows 2000
To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the system: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB824105
To verify the individual files, use the date/time and the version information that is provided in the file manifest in Microsoft Knowledge Base article 824105 and confirm that all the files that are listed in the file manifest are present on the system.
Windows XP Gold
To verify that the patch has been installed on the system confirm that the following registry key has been created on the system: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB824105
To verify the individual files, use the date/time and the version information that is provided in the file manifest in Microsoft Knowledge Base article 824105 and confirm that all the files that are listed in the file manifest are present on the system.
Windows XP Service Pack 1
To verify that the patch has been installed on the system confirm that the following registry key has been created on the system: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB824105
To verify the individual files, use the date/time and the version information that is provided in the file manifest in Microsoft Knowledge Base article 824105 and confirm that all the files that are listed in the file manifest are present on the system.
Windows Server 2003
To verify that the patch has been installed on the system confirm that the following registry key has been created on the system HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB824105
To verify the individual files, use the date/time and the version information that is provided in the file manifest in Microsoft Knowledge Base article 824105 and confirm that all the files that are listed in the file manifest are present on the system.
Caveats:
None
Localization:
Localized versions of this patch are available at the locations discussed in "Patch Availability".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
- Patches for consumer platforms are available from the WindowsUpdate web site
Other information:
Acknowledgments
Microsoft thanks Mike Price of Foundstone Labs for reporting this issue to us and working with us to protect customers.
Support:
- Microsoft Knowledge Base article 824105 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Center Web site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
- V1.0 (September 03, 2003): Bulletin published.
- V1.1 (September 03, 2003): Updated to reflect that this also will be included in Windows 2000 Service Pack 5.
- V1.2 (April 13, 2004): Added FAQ to inform customers about the availability of a security update for Windows NT Workstation 4.0 Service Pack 6a and Windows 2000 Service Pack 2.
Built at 2014-04-18T13:49:36Z-07:00 </https:>