Results 1 to 6 of 6

Thread: Workstations gone wild!

  1. #1
    Senior Member
    Join Date
    Nov 2001

    Workstations gone wild!

    ...and right on time for the winter break.

    Although I see ric-o mentioned it here:


    i think it deserves a bit more attention as this is worm material


    As you can see, this little beauty was reported by eEye to MS in mid sept.


    This buffer overflow bug is within network management functions provided by the DCE/RPC service. These functions provide the ability to manage user accounts and network resources locally and remotely. Some network management functions generate a debug log file in the "debug" subdirectory located in the Windows directory.

    A logging function implemented in WKSSVC.DLL is called to write entries to the log file. In this function, the vsprintf() routine is used to create a log entry. The string arguments for this logging function are supplied as parameters to vsprintf() without any bounds checking, so if we can pass a long string argument to the logging function, then a buffer overflow will occur.

    We found some RPC functions which will accept a long string as a parameter, and will attempt to write it to the debug log file. If we specify a long string as a parameter to these RPC functions, a stack-based buffer overflow will happen in the Workstation service on the remote system. Attackers who successfully leverage this vulnerability will be executing code under the SYSTEM context of the remote host.


    A remote attacker could exploit this vulnerability to execute arbitrary code with system-level privileges or to cause a denial of service. The exploit vector and impact for this vulnerability are conducive to automated attacks such as worms

    Restrict access
    You may wish to block access from outside your network perimeter, specifically by blocking access to TCP & UDP ports 138, 139, and 445. This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate.

    ((As a work-around ms suggests you can dis-able the workststion service....rright!))

    "If the Workstation service is disabled, the system cannot connect to any shared file resources or shared print resources on a network. Only use this workaround on stand-alone systems (such as many home systems) that do not connect to a network. If the Workstation service is disabled, any services that explicitly depend on the Workstation service do not start, and an error message is logged in the system event log. The following services depend on the Workstation service:

    Net Logon
    RPC Locator

    These services are required to access resources on a network and to perform domain authentication. Internet connectivity and browsing for stand-alone systems, such as users on dial-up connections, on DSL connections, or on cable modem connections, should not be affected if these services are disabled.


    ((The patch can be obtained threw this link)

    Non Affected Software

    Microsoft Windows NT Workstation 4.0, Service Pack 6a
    Microsoft Windows NT Server 4.0, Service Pack 6a
    Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6
    Microsoft Windows Millennium Edition
    Microsoft Windows XP 64-Bit Edition Version 2003
    Microsoft Windows Server 2003
    Microsoft Windows Server 2003 64-Bit Edition
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  2. #2
    Elite Hacker
    Join Date
    Mar 2003
    Thanks Tedob1. I had opened up port 139 on my firewall a few days ago to do some testing from school. After reading this I went straight to my router config page and closed it up again. Thanks again.

    I just installed the update on one of my XP pro boxes, and before it started it said something about software without the microsoft logo was attempted to be installed on my computer and that it wouldn't be installed. I clicked ok and it went on to install the updates like normal. About ten minutes before I had run it on a diff XP pro box without this initial message, anyone else get this, or know anything about it?

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Rotterdam, Netherlands
    It'll get worse pretty soon. I just saw a proof-of-concept posted on Bugtraq for that workstation hole.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    Elite Hacker
    Join Date
    Mar 2003
    Another very odd thing happened. I just got home from school and turned on my win98se computer. Before windows started to load at boot it asked me if I wanted to start the workstation service. Is this microsoft that implemented this. It's kindof wierd for that to happen right as this flaw is released. I said yes and it gave me an error that flashed too quickly to read, I saw something about netbios, but when I went to nework neighborhood everything was fine with that. Any ideas as to what this is about?

  5. #5
    oldie ric-o's Avatar
    Join Date
    Nov 2002

    Thumbs up Worms a-coming is right!

    i think it deserves a bit more attention as this is worm material
    You are dead on Tedob1...worms will probably be coming.

    Great post! Thanks for the good additional info!

  6. #6
    Senior Member
    Join Date
    Nov 2001
    h3r3tic the exploit code does attempt a null connection to ipc$ but i haven't had time to compile it yet to see exectly what it does

    Proof of concept for MS03-049.
    This code was tested on a Win2K SP4 with FAT32 file system, and is supposed
    to work *only* with that (it will probably crash the the other 2Ks, no clue
    about XPs).


    ret = WNetAddConnection2(&netResource, "", "", 0); // attempt a null session
    if (ret != 0)
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts