SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Firewall)  >  Microsoft Internet Security and Acceleration Server Vendors:  Microsoft
Microsoft Internet Security and Acceleration Server H.323 Buffer Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1008698
CVE Reference:  CAN-2003-0819   (Links to External Site)
Updated:  Jan 15 2004
Original Entry Date:  Jan 13 2004
Impact:  Execution of arbitrary code via network, Root access via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): 2000
Description:  A buffer overflow vulnerability has been reported in the Microsoft Firewall Service in Microsoft Internet Security and Acceleration Server 2000 in the processing of H.323 packets. A remote user can execute arbitrary code on the target system.

It is reported that the flaw resides in the H.323 filter, which is enabled by default on systems configured for integrated or firewall mode. Systems configured for cache mode are reportedly not affected.

A remote user can supply specially crafted H.323 traffic to trigger an overflow in the H.323 filter and execute arbitrary code. The code will run in the security context of the Microsoft Firewall Service, yielding full control to the remote user.

The report states that the H.323 Gatekeeper Service is not affected.
Impact:  A remote user can execute arbitrary code on the target system with the privileges of the Microsoft Firewall Service (this provides full control).
Solution:  The vendor has released a fix. The fix requires ISA Server Service Pack 1 (SP1).

Microsoft Internet Security and Acceleration Server 2000:

http://www.microsoft.com/downloads/details.aspx?FamilyId=CBE42990-4156-4E1D-9ACB-4CD449D9599B&displaylang=en

Microsoft Small Business Server 2000 (which includes Microsoft Internet Security and Acceleration Server 2000):

http://www.microsoft.com/downloads/details.aspx?FamilyId=CBE42990 -4156-4E1D-9ACB-4CD449D9599B&displaylang=en

Microsoft Small Business Server 2003 (which includes Microsoft Internet Security and Acceleration Server 2000):

http://www.microsoft.com/downloads/details.aspx?FamilyId=CBE42990-4156-4E1D-9ACB-4CD449D9599B&displaylang=en

A restart is not required after applying the patch.

Microsoft plans to include this fix in ISA Server 2000 SP2.

A workaround is also described by the vendor in the advisory.
Vendor URL:  www.microsoft.com/technet/security/bulletin/ms04-001.asp (Links to External Site)
Cause:  Boundary error
Underlying OS:  Windows (2000), Windows (2003)

Message History:   None.

 Source Message Contents
Date:  Tue, 13 Jan 2004 14:11:31 -0500
Subject:  MS04-001

 

http://www.microsoft.com/technet/security/bulletin/ms04-001.asp

Internet Security and Acceleration Server 2000

Vulnerability in Microsoft Internet Security and Acceleration Server 2000 H.323 Filter 
Could Allow Remote Code Execution (816458)

MS04-001

Maximum Severity Rating: Critical

CVE: CAN-2003-0819

A buffer overflow vulnerability has been reported in the Microsoft Firewall Service in 
Microsoft Internet Security and Acceleration Server 2000 in the processing of H.323 
packets.  A remote user can execute arbitrary code on the target system.

It is reported that the flaw resides in the H.323 filter, which is enabled by default on 
systems configured for integrated or firewall mode.  Systems configured for cache mode are 
reportedly not affected.

A remote user can supply specially crafted H.323 traffic to trigger an overflow in the 
H.323 filter and execute arbitrary code.  The code will run in the security context of the 
Microsoft Firewall Service, yielding full control to the remote user.

The report states that the H.323 Gatekeeper Service is not affected.



The vendor has released a fix.  The fix requires ISA Server Service Pack 1 (SP1).

Microsoft Internet Security and Acceleration Server 2000:

http://www.microsoft.com/downloads/details.aspx?FamilyId=CBE42990-4156-4E1D-9ACB-4CD449D9599B&dis
playlang=en

Microsoft Small Business Server 2000 (which includes Microsoft Internet Security and 
Acceleration Server 2000):

http://www.microsoft.com/downloads/details.aspx?FamilyId=CBE42990-4156-4E1D-9ACB-4CD449D9599B&dis
playlang=en

Microsoft Small Business Server 2003 (which includes Microsoft Internet Security and 
Acceleration Server 2000):

http://www.microsoft.com/downloads/details.aspx?FamilyId=CBE42990-4156-4E1D-9ACB-4CD449D9599B&dis
playlang=en

A restart is not required after applying the patch.

Microsoft plans to include this fix in ISA Server 2000 SP2.

A workaround is also described by the vendor in the advisory.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC