Results 1 to 2 of 2

Thread: MS 1st critical update of 2003

  1. #1
    Senior Member
    Join Date
    May 2002
    Posts
    390

    Post MS 1st critical update of 2003

    FYI: WinNT 4.0, Win2000, WinXP

    MS Security Bulletins

    Microsoft Security Bulletin MS03-001

    Unchecked Buffer in Locator Service Could Lead to Code Execution (810833)

    Originally posted: January 22, 2003
    Summary

    Who should read this bulletin: Customers using Microsoft® Windows® NT 4.0, Windows 2000, or Windows XP.

    Impact of vulnerability: Run code of the attacker’s choice

    Maximum Severity Rating: Critical

    Recommendation: Customers running Windows NT 4.0 domain controllers or Windows 2000 domain controllers should apply the patch immediately. Customers should install the patch at the earliest opportunity on systems running Windows NT 4.0 (workstations and member servers), Windows 2000 (workstations and member servers), and Windows XP.

    Affected Software:

    * Microsoft Windows NT 4.0
    * Microsoft Windows NT 4.0, Terminal Server Edition
    * Microsoft Windows 2000
    * Microsoft Windows XP

    End User Bulletin: An end user version of this bulletin is available at: http://www.microsoft.com/security/se...s/ms03-001.asp

    Technical details

    Technical description:

    The Microsoft Locator service is a name service that maps logical names to network-specific names. It ships with Windows NT 4.0, Windows 2000, and Windows XP. By default, the Locator service is enabled only on Windows 2000 domain controllers and Windows NT 4.0 domain controllers; it is not enabled on Windows NT 4.0 workstations or member servers, Windows 2000 workstations or member servers, or Windows XP.

    A security vulnerability results from an unchecked buffer in the Locator service. By sending a specially malformed request to the Locator service, an attacker could cause the Locator service to fail, or to run code of the attacker's choice on the system.

    Mitigating factors:

    * The Locator service is not enabled by default on any affected versions of Windows with the exception of Windows 2000 domain controllers and Windows NT 4.0 domain controllers.
    * A properly-configured firewall would block the calls to the Locator service, which would protect an affected machine from an Internet-based attack.

    Severity Rating:
    Windows NT 4.0 (Workstations and Member Servers) Moderate
    Windows NT 4.0 (Domain Controllers Only) Critical
    Windows NT 4.0, Terminal Server Edition Moderate
    Windows 2000 (Workstations and Member Servers) Moderate
    Windows 2000 (Domain Controllers Only) Critical
    Windows XP Moderate
    The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

    Vulnerability identifier: CAN-2003-0003

    Tested Versions:
    Microsoft tested Windows NT 4.0, Windows 2000, and Windows XP to assess whether they are affected by this vulnerability. The Locator service was not available in versions of Windows prior to Windows NT 4.0.

    Frequently asked questions

    What’s the scope of the vulnerability?

    This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could cause the Locator service to fail, or could cause code of the attacker's choice to be executed with system privileges.

    The Locator service is not enabled by default except on Windows 2000 domain controllers and Windows NT 4.0 domain controllers. A properly-configured firewall would block the calls to the Locator service, which would protect an affected machine from an Internet-based attack.

    What causes the vulnerability?

    The vulnerability results because of an unchecked buffer in the Microsoft Locator service. If the Locator service was called using a specially malformed argument, it could have the effect of overrunning the buffer.

    What is the Locator service?

    The Microsoft Locator service is a name service that maps names to objects. The name is a logical name that is easy for users to recognize and use. The Locator service ships with Windows NT 4.0, Windows 2000, and Windows XP.

    What is the Locator service used for?

    A client that is going to make a Remote Procedure Call (RPC) can call the Locator service to resolve a logical name for a network object to a network-specific name for use in the RPC. For example, if a print server has the logical name "laserprinter", an RPC client could call the Locator service to find out the network-specific name that mapped to "laserprinter". The RPC client uses the network-specific name when it makes the RPC call to the service.

    By default, the Locator service is only enabled on Windows 2000 domain controllers and Windows NT 4.0 domain controllers. An administrator could enable the Locator service on any Windows NT 4.0, Windows 2000, or Windows XP system.

    What is a Remote Procedure Call?

    A Remote Procedure Call is an interprocess communication technique which allows client/server software to communicate. RPC can be used in client/server applications based on Microsoft Windows operating systems and can also be used in heterogeneous network environments that include other operating systems.

    What's wrong with Locator service?

    There is a flaw in the way the Locator service handles certain parameter information that is passed to it. Specially malformed parameter data could be passed to the Locator service and could cause a buffer to be overrun.

    What could this vulnerability enable an attacker to do?

    If an attack were successful, this vulnerability could enable an attacker to cause the Locator service to fail, or to be able to run code on the system.

    How could an attacker exploit this vulnerability?

    An attacker could seek to exploit this vulnerability by forming an RPC call that would employ the Locator service to resolve a logical name, and using the RPC call to pass specially malformed data.

    Because a properly configured firewall that blocked NetBIOS traffic would block access to the Locator service from the Internet, a successful attack would need to be launched from an organization’s internal network.

    Does the Locator service require authentication?

    No, the system making the RPC request does not have to be authenticated by the system running the Locator service.

    Could this vulnerability be exploited from the Internet?

    A properly-configured firewall would block the calls to the Locator service, which would protect an affected machine from an Internet-based attack. An attacker would be much more likely to attempt to exploit this vulnerability from an organization’s internal network.

    How do I tell if the Locator service is enabled?

    The status of the "Remote Procedure Call (RPC) Locator" service and how it is started (automatically or manually) can be viewed in the Control Panel. For Windows 2000 and Windows XP, use Control Panel | Administrative Tools | Services, and on Windows NT 4.0, use Control Panel | Services.

    It is also possible to determine the status of the Locator service from the command line by entering:

    net start

    A list of services will be displayed. If "Remote Procedure Call (RPC) Locator" appears in the list, then the locator service is running.

    If I am not using the Locator service, can I disable it?

    Yes. An administrator can disable the Locator service by setting the RpcLocator service status to "disabled" in the services control panel.

    The service can also be stopped via the command line using the sc.exe program, which ships with Windows XP and is included as part of the Windows 2000 Resource Kit. The following command will stop the service:

    sc stop RpcLocator

    To disable the service using the command line tool, use the following:

    sc config RpcLocator start= disabled

    What systems would be at greatest risk from this vulnerability?

    Only Windows 2000 domain controllers and Windows NT 4.0 domain controllers have the Locator service enabled by default, so those would be the systems at greatest risk. The Locator service can be enabled on Windows NT 4.0, Windows NT 4.0, Terminal Server Edition, Windows 2000, and Windows XP.

    What does the patch do?

    The patch addresses the vulnerability by correctly handling the information passed to the RPC Locator service.

    Patch availability

    Download locations for this patch

    * Windows NT 4.0:
    o All except Japanese NEC and Chinese - Hong Kong
    o Japanese NEC
    o Chinese - Hong Kong
    * Windows NT 4.0, Terminal Server Edition:
    o All
    * Windows 2000:
    o All except Japanese NEC
    o Japanese NEC
    * Windows XP:
    o 32-bit Edition
    o 64-bit Edition

    Additional information about this patch

    Installation platforms:

    * The Windows NT 4.0 patch can be installed on systems running Service Pack 6a.
    * The Windows NT 4.0, Terminal Server Edition patch can be installed on systems running Windows NT 4.0, Terminal Server Edition Service Pack 6.
    * The Windows 2000 patch can be installed on systems running Windows 2000 Service Pack 2 or Service Pack 3.
    * The patch for Windows XP can be installed on systems running Windows XP Gold or Service Pack 1.

    Inclusion in future service packs:
    The fix for this issue will be included in Windows 2000 Service Pack 4 and Windows XP Service Pack 2.

    Reboot needed: Yes

    Patch can be uninstalled: Yes

    Superseded patches: None.

    Verifying patch installation:

    * Windows NT 4.0:

    To verify that the patch has been installed on the machine, confirm that all files listed in the file manifest in Knowledge Base article 810833 are present on the system.
    * Windows NT 4.0 Terminal Server Edition:

    To verify that the patch has been installed on the machine, confirm that all files listed in the file manifest in Knowledge Base article 810833 are present on the system.
    * Windows 2000:

    To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q810833.

    To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q810833\Filelist.
    * Windows XP:
    o If installed on Windows XP Gold:

    To verify that the patch has been installed, confirm that the following registry key has been created on the machine: HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q810833.

    To verify the individual files, use the date/time and version information provided in the following registry key: HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q810833\Filelist.
    o If installed on Windows XP Service Pack 1:

    To verify that the patch has been installed, confirm that the following registry key has been created on the machine: HKLM\Software\Microsoft\Updates\Windows XP\SP2\Q810833.

    To verify the individual files, use the date/time and version information provided in the following registry key: HKLM\Software\Microsoft\Updates\Windows XP\SP2\Q810833\Filelist.

    Caveats:
    None

    Localization:
    Localized versions of this patch are available at the locations discussed in "Patch Availability".

    Obtaining other security patches:
    Patches for other security issues are available from the following locations:

    * Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
    * Patches for consumer platforms are available from the WindowsUpdate web site

    Other information:

    Acknowledgments

    Microsoft thanks David Litchfield of Next Generation Security Software Ltd. (http://www.nextgenss.com) for reporting this issue to us and working with us to protect customers.

    Support:

    * Microsoft Knowledge Base article 810833 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
    * Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

    Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

    Disclaimer:
    The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

    Revisions:

    * V1.0 (January 22, 2003): Bulletin Created.
    just like water off a duck\'s back... I AM HERE.

    for CMOS help, check out my CMOS tut?

  2. #2
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    lol, WOW that sure took long before the usual "hey guys we did it again".....i just had a thought, i usually right my own funny stories and post em here for everyone.. i think im gunna do a remake of Britney Spears oops i did it again, except im gunna change the lyrics around to be about Microsoft's Service Packs, lol man ill have to do this one after school tonight but itll be fun, lol. lol Thanks qwerty, you inspired me.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •