Microsoft Security Bulletin MS03-043

Microsoft Security Bulletin MS03-043

Buffer Overrun in Messenger Service Could Allow Code Execution (828035)
Issued: October 15, 2003
Version Number: 1.0

Summary
Who Should Read This Document: Customers using Microsoft® Windows®

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should disable the Messenger Service immediately and evaluate their need to deploy the patch

Patch Replacement: None

Caveats: None

Tested Software and Patch Download Locations:

Affected Software:
Microsoft Windows NT Workstation 4.0, Service Pack 6a - Download the patch
Microsoft Windows NT Server 4.0, Service Pack 6a - Download the patch
Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 - Download the patch
Microsoft Windows 2000, Service Pack 2 - Download the patch
Microsoft Windows 2000, Service Pack 3, Service Pack 4 - Download the patch
Microsoft Windows XP Gold, Service Pack 1 - Download the patch
Microsoft Windows XP 64-bit Edition - Download the patch
Microsoft Windows XP 64-bit Edition Version 2003 - Download the patch
Microsoft Windows Server 2003 - Download the patch
Microsoft Windows Server 2003 64-bit Edition - Download the patch
Non Affected Software:

Microsoft Windows Millennium Edition
The software listed above has been tested to determine if the versions are affected. Other versions are no longer supported, and may or may not be affected.

Technical Details
Technical Description:

A security vulnerability exists in the Messenger Service that could allow arbitrary code execution on an affected system. The vulnerability results because the Messenger Service does not properly validate the length of a message before passing it to the allocated buffer.

An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system, or could cause the Messenger Service to fail. The attacker could then take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges.

Mitigating factors:

Messages are delivered to the Messenger service via NetBIOS or RPC. If users have blocked the NetBIOS ports (ports 137-139) - and UDP broadcast packets using a firewall, others will not be able to send messages to them on those ports. Most firewalls, including Internet Connection Firewall in Windows XP, block NetBIOS by default.
Disabling the Messenger Service will prevent the possibility of attack.
On Windows Server 2003 systems, the Messenger Service is disabled by default.

Severity Rating:

Windows NT Critical
Windows Server NT 4.0 Terminal Server Edition Critical
Windows 2000 Critical
Windows XP Critical
Windows Server 2003 Moderate

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0717

Workarounds
Microsoft has tested the following workarounds. These workarounds will not correct the underlying vulnerability however they help block known attack vectors. Workarounds may cause a reduction in functionality in some cases – in such situations this is identified below.

Use a personal firewall such as Internet Connection Firewall (only available on XP and Windows Server 2003).
If you are using the Internet Connection Firewall in Windows XP or Windows Server 2003 to protect your Internet connection, it will by default block inbound RPC traffic from the Internet.

To enable Internet Connection Firewall feature using the Network Setup Wizard:

Run the Network Setup Wizard. To access this wizard, point to Control Panel, double-click Network and Internet Connections, and then click Setup or change your home or small office network.
The Internet Connection Firewall is enabled when you choose a configuration in the wizard that indicates that your computer is connected directly to the Internet.
To configure Internet Connection Firewall manually for a connection:

In Control Panel, double-click Networking and Internet Connections, and then click Network Connections.
Right-click the connection on which you would like to enable ICF, and then click Properties.
On the Advanced tab, click the box to select the option to Protect my computer or network.
If you want to enable the use of some applications and services through the firewall, you need to enable them by clicking the Settings button, and then selecting the programs, protocols, and services to be enabled for the ICF configuration.
Disable the Messenger Service
Disabling the messenger service will prevent the possibility of an attack. You can disable the messenger service by performing the following:

Click Start, and then click Control Panel (or point to Settings, and then click Control Panel).
Double-click Administrative Tools.
Double-click Services.
Double-click Messenger.
In the Startup type list, click Disabled.
Click Stop, and then click OK.
Impact of Workaround: If the Messenger service is disabled, messages from the Alerter service (for example notifications from your backup software or Uninterruptible Power Supply) are not transmitted. If the Messenger service is disabled, any services that explicitly depend on the Messenger service do not start, and an error message is logged in the System event log.

Frequently Asked Questions
What's the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system, or could cause the Messenger Service to fail. The attacker could then be able to take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges.

What is the Windows Messenger Service?
The Messenger service is a Windows service that transmits net send messages and messages that are sent through the Alerter service between client computers and servers. For example, the Messenger service can be used by network administrators to send administrative alerts to network users. The Messenger service can also be used by Windows and other software programs. For example, Windows may use it to inform you when a print job is completed or when you lose power to your computer and switch to a Uninterruptible Power Supply (UPS). The Messenger service is not related to your Web browser, e-mail program, Windows Messenger, or MSN Messenger.

What causes the vulnerability?
The vulnerability results because of an unchecked buffer in the Messenger Service. If exploited, an attacker could gain Local System privileges on an affected system, or cause the service to fail.

Is the Messenger Service the same thing as Windows Messenger or MSN Messenger?
No. It's important to note that the Messenger Service is not the same thing as Windows Messenger or MSN Messenger. Windows Messenger (http://messenger.microsoft.com) and MSN Messenger (http://messenger.msn.com) are instant messaging services that allow users to converse, share pictures, video, etc. In contrast, the Messenger service (http://support.microsoft.com/default.aspx?scid=KB;EN-US;168893&) is a simple text-only broadcast service that's typically used by administrators to send alerts to users, and warn them of pending outages, server maintenance, etc.

What's wrong with the Messenger Service?
The vulnerability results because the Messenger Service does not properly validate the length of a message before passing it to the allocated buffer.

What could this vulnerability enable an attacker to do?
An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system, or could cause the Messenger Service to fail. The attacker could then take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by creating a specially crafted message and sending it to the Messenger Service on an affected system.

What does the patch do?
The patch eliminates the vulnerability by insuring that the Messenger Service properly validates the length of a message before passing it to the allocated buffer.

Security Patch Information
Installation platforms and Prerequisites:

For information about the specific security patch for your platform, click the appropriate link:

Windows Server 2003 (all versions)
Prerequisites

This security patch requires a released version of Windows Server 2003.

Installation Information

This security patch supports the following Setup switches:

/?: Show the list of installation switches.
/u: Use Unattended mode.
/f: Force other programs to quit when the computer shuts down.
/n: Do not back up files for removal.
/o: Overwrite OEM files without prompting.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).
/l: List the installed hotfixes.
/x: Extract the files without running Setup.

Deployment Information

To install the patch without any user intervention, use the following command line:

Windowsserver2003-kb828035-x86-enu /u /q
To install the patch without forcing the computer to restart, use the following command line:

Windowsserver2003-kb828035-x86-enu /z
Note: These switches can be combined in one command line.

For information about how to deploy this security patch with Microsoft Software Update Services, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserversystem/sus/susoverview.mspx
Restart Requirement:

You must restart your computer after you apply this security patch.

Removal Information:

To remove this patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB828035$\Spuninst folder, and it supports the following Setup switches:

/?: Show the list of installation switches.
/u: Use unattended mode.
/f: Force other programs to quit when the computer shuts down.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).

File Information:

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows Server 2003, Enterprise Edition; Windows Server 2003, Standard Edition; Windows Server 2003, Web Edition; and Windows Server 2003, Datacenter Edition:

Date Time Version Size File Name Folder
02-Oct-2003 22:00 5.2.3790.90 32,768 Msgsvc.dll RTMGDR

02-Oct-2003 22:00 5.2.3790.90 128,000 Wkssvc.dll RTMGDR

02-Oct-2003 21:53 5.2.3790.90 33,792 Msgsvc.dll RTMQFE

02-Oct-2003 21:53 5.2.3790.90 126,976 Wkssvc.dll RTMQFE

Windows Server 2003, 64-Bit Enterprise Edition and Windows Server 2003, 64-Bit Datacenter Edition:

Date Time Version Size File Name Platform Folder
02-Oct-2003 22:02 5.2.3790.90 87,040 Msgsvc.dll IA64 RTMGDR

02-Oct-2003 22:02 5.2.3790.90 311,296 Wkssvc.dll IA64 RTMGDR

02-Oct-2003 21:53 5.2.3790.90 90,112 Msgsvc.dll IA64 RTMQFE

02-Oct-2003 21:53 5.2.3790.90 309,760 Wkssvc.dll IA64 RTMQFE

Note When you install this security patch on a Windows Server 2003-based computer or on a Windows XP 64-Bit Edition Version 2003-based computer, the installer checks to see if any of the files that are being updated on your computer have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your computer. Otherwise, the installer copies the RTMGDR files to your computer. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

824994 Description of the Contents of a Windows Server 2003 Product Update Package

Verifying patch installation:

To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available
You may also be able to verify the files that this security patch installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB828035\Filelist
Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 828035 security patch into the Windows installation source files.

Windows XP (all versions)
Note For Windows XP 64-Bit Edition, Version 2003, this security patch is the same as the security patch for 64-bit versions of Windows Server 2003.

Prerequisites:

This security patch requires the released version of Windows XP or Windows XP Service Pack 1 (SP1). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to Obtain the Latest Windows XP Service Pack
Installation Information:

This security patch supports the following Setup switches:

/?: Show the list of installation switches.
/u: Use Unattended mode.
/f: Force other programs to quit when the computer shuts down.
/n: Do not back up files for removal.
/o: Overwrite OEM files without prompting.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).
/l: List the installed hotfixes.
/x: Extract the files without running Setup.

Deployment Information

To install the patch without any user intervention, use the following command line:

Windowsxp-kb828035-x86-enu /u /q
To install the patch without forcing the computer to restart, use the following command line:

Windowsxp-kb828035-x86-enu /z
Note: These switches can be combined in one command line.

For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserversystem/sus/susoverview.mspx
Restart Requirement:

You must restart your computer after you apply this security patch.

Removal Information:

To remove this patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB828035$\Spuninst folder, and it supports the following Setup switches:

/?: Show the list of installation switches.
/u: Use unattended mode.
/f: Force other programs to quit when the computer shuts down.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).

File Information:

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows XP Home Edition, Windows XP Professional, Windows XP Tablet PC Edition, and Windows XP Media Center Edition

Date Time Version Size File Name
02-Oct-2003 21:59 5.1.2600.120 32,256 Msgsvc.dll (pre-SP1)

02-Oct-2003 21:59 5.1.2600.120 120,320 Wkssvc.dll (pre-SP1)

03-Oct-2003 23:18 5.1.2600.1301 32,256 Msgsvc.dll (with SP1)

03-Oct-2003 23:18 5.1.2600.1301 119,808 Wkssvc.dll (with SP1)

Windows XP 64-Bit Edition Version 2002

Date Time Version Size File Name Platform
02-Oct-2003 21:59 5.1.2600.120 93,184 Msgsvc.dll IA64 (pre-SP1)

02-Oct-2003 21:59 5.1.2600.120 327,168 Wkssvc.dll IA64 (pre-SP1)

03-Oct-2003 23:21 5.1.2600.1301 94,720 Msgsvc.dll IA64 (with SP1)

03-Oct-2003 23:21 5.1.2600.1301 325,120 Wkssvc.dll IA64 (with SP1)

Windows XP 64-Bit Edition Version 2003

Date Time Version Size File Name Platform Folder
02-Oct-2003 22:02 5.2.3790.90 87,040 Msgsvc.dll IA64 RTMGDR

02-Oct-2003 22:02 5.2.3790.90 311,296 Wkssvc.dll IA64 RTMGDR

02-Oct-2003 21:53 5.2.3790.90 90,112 Msgsvc.dll IA64 RTMQFE

02-Oct-2003 21:53 5.2.3790.90 309,760 Wkssvc.dll IA64 RTMQFE

Notes

When you install the Windows XP 64-Bit Edition Version 2003 security patch, the installer checks to see if any of the files that are being updated on your computer have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your computer. Otherwise, the installer copies the RTMGDR files to your computer. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

824994 Description of the Contents of a Windows Server 2003 Product Update Package

The Windows XP and Windows XP 64-Bit Edition Version 2002 versions of this security patch are packaged as dual-mode packages. Dual-mode packages contain files for both the original version of Windows XP and Windows XP Service Pack 1 (SP1). For additional information about dual-mode packages, click the following article number to view the article in the Microsoft Knowledge Base:

328848 Description of Dual-Mode Hotfix Packages for Windows XP

Verifying patch installation:

To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available

You may also be able to verify the files that this security patch installed by reviewing the following registry key:

For Windows XP Home Edition SP1; Windows XP Professional SP1; Windows XP 64-Bit Edition, Version 2002 SP1; Windows XP Tablet PC Edition; Windows XP Media Center Edition:

HHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB828035\Filelist

For Windows XP Home Edition; Windows XP Professional; Windows XP 64-Bit Edition, Version 2002:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB828035\Filelist

For Windows XP 64-Bit Edition, Version 2003:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB828035\Filelist

Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 828035 security patch into the Windows installation source files.

Windows 2000
Prerequisites:

For Windows 2000 this security patch requires Service Pack 2 (SP2), Service Pack 3 (SP3), or Service Pack 4 (SP4).

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

Installation Information:

This security patch supports the following Setup switches:

/?: Show the list of installation switches.
/u: Use Unattended mode.
/f: Force other programs to quit when the computer shuts down.
/n: Do not back up files for removal.
/o: Overwrite OEM files without prompting.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).
/l: List the installed hotfixes.
/x: Extract the files without running Setup.

Deployment Information

To install the patch without any user intervention, use the following command line:

Windows2000-kb828035-x86-enu /u /q
To install the security patch without forcing the computer to restart, use the following command line:

Windows2000-kb828035-x86-enu /z
Note: You can combine these switches into one command line.

For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserversystem/sus/susoverview.mspx
Restart Requirement:

You must restart your computer after you apply this security patch.

Removal Information:

To remove this security patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB828035$\Spuninst folder, and it supports the following Setup switches:

/?: Show the list of installation switches.
/u: Use unattended mode.
/f: Force other programs to quit when the computer shuts down.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).

File Information:

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Date Time Version Size File Name
02-Oct-2003 21:17 5.00.2195.6861 34,064 Msgsvc.dll

02-Oct-2003 21:17 5.00.2195.6861 96,528 Wkssvc.dll

Verifying patch installation:

To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available

You may also be able to verify the files that this security patch installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB828035\Filelist

Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 828035 security patch into the Windows installation source files.

Windows NT 4.0 (all versions)
Prerequisites:

This security patch requires Windows NT 4.0 Service Pack 6a (SP6a) or Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 (SP6).

For information about the Windows desktop product life cycle, visit the following Microsoft Web site:

http://microsoft.com/windows/lifecycle/desktop/consumer/components.mspx
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

152734 How to Obtain the Latest Windows NT 4.0 Service Pack
Installation Information:

This security patch supports the following Setup switches:

/y: Perform removal (only with /m or /q).
/f: Force other programs to quit during the shutdown process.
/n: Do not create an Uninstall folder.
/z: Do not restart when update completes.
/q: Use Quiet or Unattended mode with no user interface (this switch is a superset of /m).
/m: Use Unattended mode with a user interface.
/l: List the installed hotfixes.
/x: Extract the files without running Setup.

Deployment Information

To install the security patch without any user intervention, use the following command line:

Windowsnt4server-kb828035-x86-enu /q
To install the security patch without forcing the computer to restart, use the following command line:

Windowsnt4server-kb828035-x86-enu /z
Note: You can combine these switches into one command line.

For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserversystem/sus/susoverview.mspx
Restart Requirement:

You must restart your computer after you apply this security patch.

Removal Information:

To remove this security patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Hotfix.exe utility to remove this security patch. The Hotfix.exe utility is located in the %Windir%\$NTUninstallKB828035$ folder. The utility supports the following Setup switches:

/y: Perform removal (only with /m or /q).
/f: Force programs to quit during the shutdown process.
/n: Do not create an Uninstall folder.
/z: Do not restart when update completes.
/q: Use Quiet or Unattended mode with no user interface (this switch is a superset of /m).
/m: Use Unattended mode with a user interface.
/l: List the installed hotfixes.

File Information:

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows NT Server 4.0:

Date Time Version Size File Name
02-Oct-2003 13:28 4.00 39,184 Msgsvc.dll

14-Apr-2003 15:45 4.00 80,784 Mup.sys

10-Jun-2003 13:41 4.00 256,272 Netapi32.dll

02-Oct-2003 13:28 4.00 60,688 Wkssvc.dll

Windows NT Server 4.0, Terminal Server Edition:

Date Time Version Size File Name
02-Oct-2003 13:45 4.00 44,816 Msgsvc.dll

22-Jan-2002 23:50 4.00 82,224 Mup.sys

29-Aug-2001 01:57 4.00 255,760 Netapi32.dll

02-Oct-2003 13:44 4.00 60,688 Wkssvc.dll

Verifying patch installation:

To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available

You may also be able to verify the files that this security patch installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB828035\File 1

Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 828035 security patch into the Windows installation source files.

Acknowledgments

Microsoft thanks the following for working with us to protect customers:

The Last Stage of Delirium Research Group for reporting the issue in MS03-043.
Obtaining other security patches:

Patches for other security issues are available from the following locations:

Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web site
Support:

Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls associated with security patches.
Security Resources:

The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
Microsoft Software Update Services: http://www.microsoft.com/sus/
Microsoft Baseline Security Analyzer (MBSA) details: http://www.microsoft.com/mbsa. Please see http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 for list of security patches that have detection limitations with MBSA tool.
Windows Update Catalog: http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166
Windows Update: http://windowsupdate.microsoft.com
Office Update: http://office.microsoft.com/officeupdate/
Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:

V1.0 (October 15, 2003): Bulletin published.