Workstations gone wild!

Printable View

November 12th, 2003, 05:37 AM
Tedob1

Workstations gone wild!

...and right on time for the winter break.

Although I see ric-o mentioned it here:

http://www.antionline.com/showthread...hreadid=250848

i think it deserves a bit more attention as this is worm material

CAN-2003-0812

As you can see, this little beauty was reported by eEye to MS in mid sept.

http://www.eeye.com/html/Research/Ad...D20031111.html

This buffer overflow bug is within network management functions provided by the DCE/RPC service. These functions provide the ability to manage user accounts and network resources locally and remotely. Some network management functions generate a debug log file in the "debug" subdirectory located in the Windows directory.

A logging function implemented in WKSSVC.DLL is called to write entries to the log file. In this function, the vsprintf() routine is used to create a log entry. The string arguments for this logging function are supplied as parameters to vsprintf() without any bounds checking, so if we can pass a long string argument to the logging function, then a buffer overflow will occur.

We found some RPC functions which will accept a long string as a parameter, and will attempt to write it to the debug log file. If we specify a long string as a parameter to these RPC functions, a stack-based buffer overflow will happen in the Workstation service on the remote system. Attackers who successfully leverage this vulnerability will be executing code under the SYSTEM context of the remote host.

http://www.cert.org/advisories/CA-2003-28.html

A remote attacker could exploit this vulnerability to execute arbitrary code with system-level privileges or to cause a denial of service. The exploit vector and impact for this vulnerability are conducive to automated attacks such as worms

Restrict access
You may wish to block access from outside your network perimeter, specifically by blocking access to TCP & UDP ports 138, 139, and 445. This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate.

((As a work-around ms suggests you can dis-able the workststion service....rright!))

"If the Workstation service is disabled, the system cannot connect to any shared file resources or shared print resources on a network. Only use this workaround on stand-alone systems (such as many home systems) that do not connect to a network. If the Workstation service is disabled, any services that explicitly depend on the Workstation service do not start, and an error message is logged in the system event log. The following services depend on the Workstation service:

Alerter
Browser
Messenger
Net Logon
RPC Locator

These services are required to access resources on a network and to perform domain authentication. Internet connectivity and browsing for stand-alone systems, such as users on dial-up connections, on DSL connections, or on cable modem connections, should not be affected if these services are disabled.

http://www.microsoft.com/technet/tre...n/MS03-049.asp

((The patch can be obtained threw this link:))

Non Affected Software

Microsoft Windows NT Workstation 4.0, Service Pack 6a
Microsoft Windows NT Server 4.0, Service Pack 6a
Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6
Microsoft Windows Millennium Edition
Microsoft Windows XP 64-Bit Edition Version 2003
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-Bit Edition
November 12th, 2003, 06:20 AM
skiddieleet

Thanks Tedob1. I had opened up port 139 on my firewall a few days ago to do some testing from school. After reading this I went straight to my router config page and closed it up again. Thanks again.

edit
I just installed the update on one of my XP pro boxes, and before it started it said something about software without the microsoft logo was attempted to be installed on my computer and that it wouldn't be installed. I clicked ok and it went on to install the updates like normal. About ten minutes before I had run it on a diff XP pro box without this initial message, anyone else get this, or know anything about it?
November 12th, 2003, 05:38 PM
SirDice

It'll get worse pretty soon. I just saw a proof-of-concept posted on Bugtraq for that workstation hole.
November 12th, 2003, 10:58 PM
skiddieleet

Another very odd thing happened. I just got home from school and turned on my win98se computer. Before windows started to load at boot it asked me if I wanted to start the workstation service. Is this microsoft that implemented this. It's kindof wierd for that to happen right as this flaw is released. I said yes and it gave me an error that flashed too quickly to read, I saw something about netbios, but when I went to nework neighborhood everything was fine with that. Any ideas as to what this is about?
November 13th, 2003, 02:40 AM
ric-o

Worms a-coming is right!

Quote:

i think it deserves a bit more attention as this is worm material

You are dead on Tedob1...worms will probably be coming.

Great post! Thanks for the good additional info!
November 13th, 2003, 07:42 AM
Tedob1

h3r3tic the exploit code does attempt a null connection to ipc$ but i haven't had time to compile it yet to see exectly what it does

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Proof of concept for MS03-049.
This code was tested on a Win2K SP4 with FAT32 file system, and is supposed
to work *only* with that (it will probably crash the the other 2Ks, no clue
about XPs).

"\\\\192.168.175.3\\ipc$";

ret = WNetAddConnection2(&netResource, "", "", 0); // attempt a null session
if (ret != 0)