Microsoft Security Bulletin MS03-049

Microsoft Security Bulletin MS03-049 Print

Buffer Overrun in the Workstation Service Could Allow Code Execution (828749)
Issued: November 11, 2003
Version Number: 1.0

See all Windows bulletins released November, 2003

Summary
Who Should Read This Document: Customers using Microsoft® Windows®

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Systems administrators should apply the patch immediately.

Security Update Replacement: None

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software

Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4 – Download the update
Microsoft Windows XP, Microsoft Windows XP Service Pack 1 – Download the update
Microsoft Windows XP 64-Bit Edition – Download the update
Note: The Windows XP security updates that released on October 15th as part of Security Bulletin MS03-043 (828035) include the updated file that helps protect from this vulnerability. If you have applied the Windows XP security updates for MS03-043 (828035) you do not have to reapply this update. However, the Windows 2000 security update that is released as part of this security bulletin contains updated files that were not part of the MS03-043 (828035) security bulletin. Customers have to apply this Windows 2000 security update even if they applied the Windows 2000 security updates for MS03-043 (828035).
Non Affected Software

Microsoft Windows NT Workstation 4.0, Service Pack 6a
Microsoft Windows NT Server 4.0, Service Pack 6a
Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6
Microsoft Windows Millennium Edition
Microsoft Windows XP 64-Bit Edition Version 2003
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-Bit Edition
The software listed above has been tested to determine if the versions are affected. Other versions are no longer supported, and may or may not be affected.

Technical Details
Technical description:

A security vulnerability exists in the Workstation service that could allow remote code execution on an affected system. This vulnerability results because of an unchecked buffer in the Workstation service.

If exploited, an attacker could gain System privileges on an affected system, or could cause the Workstation service to fail. An attacker could take any action on the system, including installing programs, viewing data, changing data, or deleting data, or creating new accounts with full privileges.

Mitigating factors:

If users have blocked inbound UDP ports 138, 139, 445 and TCP ports 138, 139, 445 by using a firewall an attacker would be prevented from sending messages to the Workstation service. Most firewalls, including Internet Connection Firewall in Windows XP, block these ports by default.
Disabling the Workstation service will prevent the possibility of attack. However there are a number of impacts when performing this workaround. Please see the Workaround section for more details.
Only Windows 2000 and Window XP are affected. Other operating systems are not vulnerable to this attack.
Severity Rating:

Microsoft Windows 2000 Critical
Microsoft Windows XP Critical

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0812

Workarounds
Microsoft has tested the following workarounds that apply to this vulnerability. These workarounds help block known attack vectors, however they will not correct the underlying vulnerability. Workarounds may reduce functionality in some cases; in such cases, the reduction in functionality is identified below.

Block UDP ports 138, 139, 445 and TCP ports 138, 139, 445 at your firewall.
These ports are used to accept a Remote Procedure Call (RPC) connection at a remote computer. Blocking them at the firewall will help prevent systems behind that firewall from being attacked by attempts to exploit this vulnerability.

Use a personal firewall such as Internet Connection Firewall, which is included with Windows XP.
If you use the Internet Connection Firewall feature in Windows XP to help protect your Internet connection, Internet Connection Firewall blocks inbound traffic from the Internet or from the intranet by default.

To enable the Internet Connection Firewall feature by using the Network Setup Wizard:

Click Start, and then click Control Panel.
In the default Category View, click Network and Internet Connections, and then click Setup or change your home or small office network. The Internet Connection Firewall feature is enabled when you select a configuration in the Network Setup Wizard that indicates that your computer is connected directly to the Internet.
To configure Internet Connection Firewall manually for a connection:

Click Start, and then click Control Panel.
In the default Category View, click Networking and Internet Connections, and then click Network Connections.
Right-click the connection on which you want to enable Internet Connection Firewall, and then click Properties.
Click the Advanced tab.
Select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box, and then click OK.
Note: If you want to enable the use of some applications and services through the firewall, click Settings on the Advanced tab, and then select the programs, the protocols, and the services.
Enable advanced TCP/IP filtering on Windows 2000-based systems and on Windows XP-based systems.
You can enable advanced TCP/IP filtering to block all unsolicited, inbound traffic. For additional information about how to configure TCP/IP filtering, click the following article number to view the article in the Microsoft Knowledge Base:

309798 HOW TO: Configure TCP/IP Filtering in Windows 2000
Disable the Workstation service.
You can disable the Workstation service to help prevent the possibility of an attack.

To disable the Workstation service on Windows XP:

Click Start, and then click Control Panel.
In the default Category View, click Performance and Maintenance.
Click Administrative Tools.
Double-click Services.
Double-click Workstation.
On the General tab, click Disabled in the Startup type list.
Click Stop under Service status, and then click OK.
To disable the Workstation service on Windows 2000:

Click Start, point to Settings, and then click Control Panel.
Double-click Administrative Tools.
Double-click Services.
Double-click Workstation.
On the General tab, click Disabled in the Startup type list.
Click Stop under Service status, and then click OK.
Impact of Workaround: If the Workstation service is disabled, the system cannot connect to any shared file resources or shared print resources on a network. Only use this workaround on stand-alone systems (such as many home systems) that do not connect to a network. If the Workstation service is disabled, any services that explicitly depend on the Workstation service do not start, and an error message is logged in the system event log. The following services depend on the Workstation service:

Alerter
Browser
Messenger
Net Logon
RPC Locator
These services are required to access resources on a network and to perform domain authentication. Internet connectivity and browsing for stand-alone systems, such as users on dial-up connections, on DSL connections, or on cable modem connections, should not be affected if these services are disabled.

Note: The Microsoft Baseline Security Analyzer will not function if the Workstation service is disabled. It is possible that other applications may also require the Workstation service. If an application requires the Workstation service, simply re-enable the service. This can be performed by changing the Startup Type for the Workstation service back to Automatic and restarting the system.

Frequently Asked Questions
What is the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could allow remote code execution with System privileges on an affected system, or an attacker could cause the Workstation service to fail. The attacker could then take any action on the system, including installing programs, viewing data, changing data, or deleting data, or creating new accounts with full privileges.

What causes the vulnerability?
The vulnerability results because of an unchecked buffer within the Workstation service.

What is the Workstation Service?
Both local file system requests and remote file or print network requests are routed through the Workstation service. This service determines where the resource is located and then routes the request to the local file system or to the networking components. When the Workstation service is stopped, all requests are assumed to be local requests. For a detailed understanding of the Windows networking architecture, visit the following Microsoft Web site: http://www.microsoft.com/technet/prodtechnol/winntas/reskit/net/chptr1.asp

What could this vulnerability enable an attacker to do?
An attacker who successfully exploited this vulnerability could cause code to execute with System privileges on an affected system or could cause the Workstation service to fail. An attacker could then take any action on the system, including installing programs, viewing data, changing data, or deleting data, or creating new accounts with full privileges.

Who could exploit the vulnerability?
Any anonymous user who could deliver a malformed message to the Workstation service on an affected system could attempt to exploit this vulnerability. Because the Workstation service is enabled by default in all versions of Windows, this means that any user who could establish a connection with an affected system could attempt to exploit this vulnerability.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by creating a specially-crafted network message and by sending the message to the Workstation service on an affected system. Receipt of such a message could cause the Workstation service on the vulnerable system to fail in such a way that could allow the Workstation service to execute code.

An attacker could also access the affected component through another vector, such as one that would involve logging onto the system interactively or by using another application that passed parameters to the vulnerable component (locally or remotely).

What does the update do?
The update eliminates the vulnerability by ensuring that the Workstation service properly validates the length of a message before passing the message to the allocated buffer.

Why does the Windows XP update reference the MS03-043 Security Bulletin?
The Windows XP security updates that released on October 15th as part of Security Bulletin MS03-043 (828035) include the updated file that helps protect from this vulnerability. If you have applied the Windows XP security updates for MS03-043 (828035) you do not have to reapply this update. However, the Windows 2000 security update that is released as part of this security bulletin contains updated files that were not part of the MS03-043 (828035) security bulletin. Customers have to apply this Windows 2000 security update even if they applied the Windows 2000 security updates for MS03-043 (828035).

Security Update Information
Installation platforms and Prerequisites:

For information about the specific security update for your platform, click the appropriate link:

Windows XP (all versions)
Note: The Windows XP security updates that released on October 15th as part of Security Bulletin MS03-043 (828035) include the updated file that helps protect from this vulnerability. If you have applied the Windows XP security updates for MS03-043 (828035) you do not have to reapply this update. However, the Windows 2000 security update that is released as part of this security bulletin contains updated files that were not part of the MS03-043 (828035) security bulletin. Customers have to apply this Windows 2000 security update even if they applied the Windows 2000 security updates for MS03-043 (828035). For complete Windows XP security update details please consult the MS03-043 security bulletin

Windows 2000 (all versions)
Prerequisites

For Windows 2000 this security update requires Service Pack 2 (SP2), Service Pack 3 (SP3), or Service Pack 4 (SP4).

For information about the Windows desktop product life cycle, visit the following Microsoft Web site: http://microsoft.com/windows/lifecycle/desktop/consumer/components.mspx

For additional information, click the following article number to view the article in the Microsoft Knowledge Base: 260910 How to Obtain the Latest Windows 2000 Service Pack

Inclusion in future service packs:
The fix for this issue will be included in Windows 2000 Service Pack 5.

Installation Information

This security update supports the following Setup switches:

/help Displays the command line options
Setup Modes

/quiet Quiet mode (no user interaction or display)
/passive Unattended mode (progress bar only)<
/uninstall Uninstalls the package
Restart Options

/norestart Do not restart when installation is complete
/forcerestart Restart after installation
Special Options

/l Lists installed Windows hotfixes or update packages
/o Overwrite OEM files without prompting
/n Do not backup files needed for uninstall
/f Force other programs to close when the computer shuts down
Note: For backward compatibility, the security update also supports the setup switches used by the previous version of the setup utility, however usage of the previous switches should be discontinued as this support may be removed in future security updates.
Deployment Information

To install the security update without any user intervention, use the following command line for Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, Windows 2000 Service Pack 4:

Windows2000-kb828749-x86-enu /passive /quiet
To install the security update without forcing the computer to restart, use the following command line for Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, Windows 2000 Service Pack 4:

Windows2000-kb828749-x86-enu /norestart
Note: You can combine these switches into one command line.

For information about how to deploy this security update with Software Update Services, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserversystem/sus/default.mspx

Restart Requirement

In some cases, this update does not require a reboot. The installer stops the needed services, applies the update, then restarts them. However, if the needed services cannot be stopped for any reason or if required files are in use, it will require a reboot. If this occurs, a prompt will be displayed advising of the need to reboot.

Removal Information

To remove this security update, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB828749$\Spuninst folder, and it supports the following Setup switches:

/?: Show the list of installation switches.
/u: Use unattended mode.
/f: Force other programs to quit when the computer shuts down.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).
File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, Windows 2000 Service Pack 4:

Date Time Version Size File Name
02-Oct-2003 21:53 5.00.2195.6862 96,528 Wkssvc.dll

Verifying Update Installation

To verify that the security update is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available

You may also be able to verify the files that this security update installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB828749\Filelist

Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 828749 security update into the Windows installation source files.

Acknowledgments

Microsoft thanks the following for working with us to protect customers:

eEye Digital Security for reporting the issue in MS03-049.
Obtaining other security updates:

Updates for other security issues are available from the following locations:

Security updates are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
Updates for consumer platforms are available from the WindowsUpdate web site
Support:

Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls associated with security patches.
International customers can get support from their local Microsoft subsidiaries. There is no charge for support associated with security updates. Information on how to contact Microsoft support is available at http://support.microsoft.com/common/international.aspx
Security Resources:
The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
Microsoft Software Update Services: http://www.microsoft.com/sus/&quot;&gt;http://www.microsoft.com/sus/&quot;&gt;http://www.microsoft.com/sus/
Microsoft Baseline Security Analyzer (MBSA) details: http://www.microsoft.com/technet/security/tools/mbsahome.asp. Please see http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 for list of security updates that have detection limitations with MBSA tool.
Windows Update Catalog: http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166
Windows Update: http://windowsupdate.microsoft.com
Office Update: http://office.microsoft.com/officeupdate/
Software Update Services (SUS):

Microsoft Software Update Services (SUS) enables administrators to quickly and reliably deploy the latest critical updates and security updates to Windows® 2000 and Windows Server™ 2003-based servers, as well as to desktop computers running Windows 2000 Professional or Windows XP Professional.

For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site:

http://www.microsoft.com/sus/

Systems Management Server (SMS):

Systems Management Server can provide assistance deploying this security update. For information about Systems Management Server visit the SMS Web Site. SMS also provides several additional tools to assist administrators in the deployment of security updates such as the SMS 2.0 Software Update Services Feature Pack and the SMS 2.0 Administration Feature Pack. The SMS 2.0 Software Update Services Feature Pack utilizes the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin remediation. Some software updates may require administrative rights following a restart of the computer.

Note: The inventory capabilities of the SMS 2.0 Software Update Services Feature Pack may be used for targeting updates to specific computers, and the SMS 2.0 Administration Feature Pack's Elevated Rights Deployment Tool can be used for installation. This provides optimal deployment for updates that require explicit targeting using Systems Management Server and administrative rights after the computer has been restarted.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

V1.0 (November 11, 2003): Bulletin published