SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Microsoft)  >   Microsoft Network Share Provider (SMB) Vendors:   Microsoft
Microsoft SMB Buffer Overflow Lets Remote Authenticated Users Execute Arbitrary Code
SecurityTracker Alert ID:  1007154
SecurityTracker URL:  http://securitytracker.com/id/1007154
CVE Reference:   CVE-2003-0345   (Links to External Site)
Updated:  Jun 14 2008
Original Entry Date:  Jul 9 2003
Impact:   Denial of service via network, Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): NT 4.0, NT 4.0 TSE, 2000, XP
Description:   A vulnerability was reported in several Microsoft operating systems in the processing of Server Message Block (SMB) packets. A remote authenticated user can execute arbitrary code or cause denial of service conditions.

It is reported that the software does not properly validate the parameters of an SMB packet. A remote authenticated user can specify a buffer length that is insufficient to hold all of the data. The server reportedly fails to validate the specification and will allocate a buffer based on the specification. The resulting data then overflows the buffer, potentially executing user-supplied code, corrupting data in memory, or crashing the system.

Windows Server 2003 is reportedly not affected.

Microsoft credits Jeremy Allison and Andrew Tridgell, Samba Team for reporting this flaw.

Impact:   A remote authenticated user can execute arbitrary code, corrupt system memory, or crash the system.
Solution:   The vendor has issued the following patches:

* Windows NT 4.0 Server

http://microsoft.com/downloads/details.aspx?FamilyId=1CA9A59A-3074-4D73-82C8-68A37B3BBB80&displaylang=en

* Windows NT 4.0, Terminal Server Edition

http://microsoft.com/downloads/details.aspx?FamilyId=19C2A999-AAD4-44A6-B608-0178874387AB&displaylang=en

* Windows 2000 Server

http://microsoft.com/downloads/details.aspx?FamilyId=8290DBEC-6072-45B9-A91D-E4C1FD93E3E1&displaylang=en

* Windows XP 32 bit Edition

http://microsoft.com/downloads/details.aspx?FamilyId=8F407A78-646C-4F82-BF74-12298ED5D8CF&displaylang=en

* Windows XP 64 bit Edition

http://microsoft.com/downloads/details.aspx?FamilyId=2644E2F3-92F2-40B3-8887-72FEB81CA58D&displaylang=en

The NT patches can reportedly be installed on Windows NT Server 4.0 SP6a and Windows NT Server, Terminal Server Edition SP6, respectively. The Windows 2000 patch can be installed on Windows 2000 SP3. The Windows XP patch can be installed on Windows XP Gold or Windows XP SP1.

The fix for this issue is included in Windows 2000 SP4 and will be included in Windows XP SP2, according to the vendor.

A reboot is required after installing this patch.

Microsoft plans to issue Knowledge Base article 817606 regarding this issue, to be available shortly on the Microsoft Online Support web site:

http://support.microsoft.com/?scid=fh;en-us;kbhowto

Vendor URL:  www.microsoft.com/technet/security/bulletin/MS03-024.asp (Links to External Site)
Cause:   Input validation error

Message History:   None.


 Source Message Contents

Subject:  Microsoft Security Bulletin MS03-024: Buffer Overrun in Windows Could Lead to Data Corruption (Q817606)


-----BEGIN PGP SIGNED MESSAGE-----

- - -----------------------------------------------------------------
Title:  Buffer Overrun in Windows Could Lead to Data 
	Corruption (817606)
Date:       09 July 2003
Software:   
 - Microsoft Windows NT Server 4.0
 - Microsoft Windows NT Server 4.0, Terminal Server Edition 
 - Microsoft Windows 2000
 - Windows XP Professional 
Impact:     Allow an attacker to execute code of their choice
Max Risk:   Important
Bulletin:   MS03-024

Microsoft encourages customers to review the Security Bulletins 
at: http://www.microsoft.com/technet/security/bulletin/MS03-
024.asp
http://www.microsoft.com/security/security_bulletins/ms03-024.asp
- - -----------------------------------------------------------------

Issue:
======
Server Message Block (SMB) is the Internet Standard protocol that
Windows uses to share files, printers, serial ports, and to
communicate between computers using named pipes and mail slots.
In a networked environment, servers make file systems and 
resources available to clients. Clients make SMB requests for 
resources, and servers make SMB responses in what's described as 
a client server request-response protocol. 

A flaw exists in the way that the server validates the parameters
of an SMB packet. When a client system sends an SMB packet to the
server system, it includes specific parameters that provide the
server with a set of "instructions." In this case, the server is
not properly validating the buffer length established by the 
packet. If the client specifies a buffer length that is less than 
what is needed, it can cause the buffer to be overrun. 

By sending a specially crafted SMB packet request, an attacker
could cause a buffer overrun to occur. If exploited, this could
lead to data corruption, system failure, or-in the worst case-
it could allow an attacker to run the code of their choice.
An attacker would need a valid user account and would need to
be authenticated by the server to exploit this flaw.

Mitigating Factors:
====================
 - Windows Server 2003 is not affected by this vulnerability.
 - By default, it is not possible to exploit this flaw 
anonymously. The attacker would have to be authenticated by the 
server prior to attempting to send a SMB packet to it.
 - Blocking port 139/445 at the firewall will prevent the
possibility of an attack from the Internet.

Risk Rating:
============
 - Important

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read 
the Security Bulletins at 
http://www.microsoft.com/technet/security/bulletin/ms03-024.asp
http://www.microsoft.com/security/security_bulletins/ms03-024.asp

for information on obtaining this patch.

Acknowledgment:
===============
 - Microsoft thanks  Jeremy Allison and Andrew Tridgell, Samba 
Team for reporting this issue to us and working with us to 
protect customers.
- - -----------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT 
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING 
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS 
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, 
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL 
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN 
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT 
ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL 
OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.



-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPwxcW40ZSRQxA/UrAQGH+ggAkkkYxL2EcptHtP3WAHCYp00a9OZ7NDYg
nN49feSUNjHiQcPgxs7o4JN20t6sS1SANeweKc1DZLsPcc60L0XSBA1DiA5iwxIY
Hh3h4V91BvUqF7z7H7ciaKm8YGv5Z1Sl5BO4NvM8Yo7uo6/gRxzgR8nzma2D6W15
RjDgvtahnBw47t3kEA6E/IoeqTI6sc7GmsCna3NPW1dPAVBYnHWP5jgauhXqxyER
1aioIvZkuwiYa/OcTv/oXhxueloubwXbvByFTuVKUiIAasAWWQ7Yd5WyKP1RoacW
0C0CRwX5KUXNsaS34GLK1AvQwvk+rya/epcmay4AQYHugy+eZ5RJNQ==
=1WAq
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service.  For more
 information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp
 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described
 below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC