O-004: Microsoft Buffer Overrun in Messenger Service Could Allow Code Execution

REVISION HISTORY:
10/17/03 - updated to show that Internet Security Systems (ISS) has updated 
           packages for Internet Scanner, System Scanner, RealSecure Network and 
           Server, and Proventia; and added a link to Internet Security Systems, 
           CERT Advisory CA-2003-27, and Symantec.
	
10/30/03 - Microsoft released a revised security patch for Windows 2000, 
           Windows XP, and Windows Server 2003 to address the problem 
           described in their Knowledge Base Article #830846 where 
           installation of the previous patch may stop responding (hang). 
           The revised patch contains version 5.4.1.0 of Update.exe. 
           Version 5.4.1.0 or later versions of Update.exe no longer require 
           the Debug Programs user right.

		   
   
[***** Start MS03-043 *****]

Microsoft Security Bulletin MS03-043  

Buffer Overrun in Messenger Service Could Allow Code Execution (828035)
Issued: October 15, 2003
Version Number: 1.0 


Summary

Who Should Read This Document: Customers using Microsoft® Windows®

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should disable the Messenger Service immediately and evaluate 
their need to deploy the patch

Patch Replacement: None

Caveats: None

Tested Software and Patch Download Locations: 


Affected Software: 

Microsoft Windows NT Workstation 4.0, Service Pack 6a - Download the patch 
Microsoft Windows NT Server 4.0, Service Pack 6a - Download the patch 
Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 - Download the 
patch 
Microsoft Windows 2000, Service Pack 2, Service Pack 3, Service Pack 4 - Download the patch 
Microsoft Windows XP Gold, Service Pack 1 - Download the patch 
Microsoft Windows XP 64-bit Edition - Download the patch 
Microsoft Windows XP 64-bit Edition Version 2003 - Download the patch 
Microsoft Windows Server 2003 - Download the patch 
Microsoft Windows Server 2003 64-bit Edition - Download the patch 

Non Affected Software: 

Microsoft Windows Millennium Edition 

The software listed above has been tested to determine if the versions are affected. 
Other versions are no longer supported, and may or may not be affected.


Technical Details

Technical Description:

A security vulnerability exists in the Messenger Service that could allow arbitrary code 
execution on an affected system. The vulnerability results because the Messenger Service 
does not properly validate the length of a message before passing it to the allocated 
buffer.

An attacker who successfully exploited this vulnerability could be able to run code with 
Local System privileges on an affected system, or could cause the Messenger Service to 
fail. The attacker could then take any action on the system, including installing programs, 
viewing, changing or deleting data, or creating new accounts with full privileges.


Mitigating factors: 

Messages are delivered to the Messenger service via NetBIOS or RPC. If users have 
  blocked the NetBIOS ports (ports 137-139) - and UDP broadcast packets using a firewall, 
  others will not be able to send messages to them on those ports. Most firewalls, 
  including Internet Connection Firewall in Windows XP, block NetBIOS by default. 
Disabling the Messenger Service will prevent the possibility of attack. 
On Windows Server 2003 systems, the Messenger Service is disabled by default. 


Severity Rating:
**************************************************************
Windows NT                                        Critical 
**************************************************************
Windows Server NT 4.0 Terminal Server Edition     Critical 
**************************************************************
Windows 2000                                      Critical 
**************************************************************
Windows XP                                        Critical 
**************************************************************
Windows Server 2003                               Moderate 
**************************************************************

The above assessment is based on the types of systems affected by the vulnerability, their 
typical deployment patterns, and the effect that exploiting the vulnerability would have 
on them. 

Vulnerability identifier: CAN-2003-0717


Workarounds

Microsoft has tested the following workarounds. These workarounds will not correct the 
underlying vulnerability however they help block known attack vectors. Workarounds may 
cause a reduction in functionality in some cases – in such situations this is identified 
below.

Use a personal firewall such as Internet Connection Firewall (only available on XP and 
  Windows Server 2003). 

  If you are using the Internet Connection Firewall in Windows XP or Windows Server 2003 
  to protect your Internet connection, it will by default block inbound RPC traffic from 
  the Internet.

  To enable Internet Connection Firewall feature using the Network Setup Wizard: 

  1.  Run the Network Setup Wizard. To access this wizard, point to Control Panel, double-
      click Network and Internet Connections, and then click Setup or change your home or 
      small office network. 
  2.  The Internet Connection Firewall is enabled when you choose a configuration in the 
      wizard that indicates that your computer is connected directly to the Internet. 

  To configure Internet Connection Firewall manually for a connection: 

  1.  In Control Panel, double-click Networking and Internet Connections, and then click 
      Network Connections. 
  2.  Right-click the connection on which you would like to enable ICF, and then click 
      Properties. 
  3.  On the Advanced tab, click the box to select the option to Protect my computer or 
      network. 
  4.  If you want to enable the use of some applications and services through the firewall, 
      you need to enable them by clicking the Settings button, and then selecting the 
      programs, protocols, and services to be enabled for the ICF configuration. 

Disable the Messenger Service 

  Disabling the messenger service will prevent the possibility of an attack. You can 
  disable the messenger service by performing the following:

  1.  Click Start, and then click Control Panel (or point to Settings, and then click 
      Control Panel). 
  2.  Double-click Administrative Tools. 
  3.  Double-click Services. 
  4.  Double-click Messenger. 
  5.  In the Startup type list, click Disabled. 
  6.  Click Stop, and then click OK.


  Impact of Workaround: If the Messenger service is disabled, messages from the Alerter 
  service (for example notifications from your backup software or Uninterruptible Power 
  Supply) are not transmitted. If the Messenger service is disabled, any services that 
  explicitly depend on the Messenger service do not start, and an error message is logged 
  in the System event log.



Security Patch Information

Installation platforms and Prerequisites: 

For information about the specific security patch for your platform, click the appropriate 
link: 

Windows Server 2003 (all versions)
Windows XP (all versions)
Windows 2000
Windows NT 4.0 (all versions)


Acknowledgments

Microsoft thanks the following for working with us to protect customers: 

The Last Stage of Delirium Research Group for reporting the issue in MS03-043. 


Obtaining other security patches:

Patches for other security issues are available from the following locations: 

Security patches are available from the Microsoft Download Center, and can be most 
  easily found by doing a keyword search for "security_patch". 
Patches for consumer platforms are available from the WindowsUpdate web site 


Support:

Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY. 
There is no charge for support calls associated with security patches. 


Security Resources: 

The Microsoft TechNet Security Web Site provides additional information about security 
  in Microsoft products. 
Microsoft Software Update Services: http://www.microsoft.com/sus/ 
Microsoft Baseline Security Analyzer (MBSA) details: http://www.microsoft.com/mbsa. 
  Please see http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 for list of 
  security patches that have detection limitations with MBSA tool. 
Windows Update Catalog: http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166 
Windows Update: http://windowsupdate.microsoft.com 
Office Update: http://office.microsoft.com/officeupdate/ 


Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without 
warranty of any kind. Microsoft disclaims all warranties, either express or implied, 
including the warranties of merchantability and fitness for a particular purpose. In no 
event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever 
including direct, indirect, incidental, consequential, loss of business profits or special 
damages, even if Microsoft Corporation or its suppliers have been advised of the 
possibility of such damages. Some states do not allow the exclusion or limitation of 
liability for consequential or incidental damages so the foregoing limitation may not 
apply. 


Revisions:

V1.0 (October 15, 2003): Bulletin published.


[***** End MS03-043 *****]

    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/