Microsoft Security Bulletin MS01-039

Technical description:

Among the components provided by Services for Unix (SFU) 2.0 are services that implement the NFS (Network File System) and Telnet protocols. Both services contain memory leaks that could be triggered by a user request. An attacker who repeatedly sent such a request could deplete the kernel memory on the server to the point where performance slowed and the system could potentially fail.

Mitigating factors: 

Vulnerability identifier: CAN-2001-0505 

Tested Versions:

Microsoft tested Services for Unix 1.0 and 2.0 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

How are the vulnerabilities discussed in this bulletin related to each other?
The vulnerabilities are only related in the sense that both affect services that are included in Services for Unix 2.0. We've packaged them together to make it more convenient for find and apply them.

What is Services for Unix?
Services for Unix (SFU) is a set of components that can be installed on Windows NT 4.0 or Windows 2000 and make it easy for customers to integrate Windows into their existing Unix environments. It provides Windows-based implementations of common Unix tools and services, as well as providing tools that enable administrators to more easily manage heterogeneous networks.

What are the vulnerabilities?
There are two vulnerabilities:

What's the scope of the first vulnerability?
The is a denial of service vulnerability. An attacker who successfully exploited it could prevent an affected system from providing file-sharing services, and potentially cause the system itself to fail and require rebooting. It would not provide any means of usurping control over the system, nor would it enable the attacker to compromise any of the files on the server.

What causes the vulnerability?
The vulnerability results because the NFS service in SFU 2.0 contains a memory leak. If a particular type of malformed were repeatedly sent to an affected server, it could exhaust the memory on the server, potentially causing the system to fail.

What is NFS?
Network File System (NFS) is an industry standard protocol, defined in RFC 1094, that provides transparent, remote access to shared files across networks. For instance, suppose that machines A, B and C all contained data that was intended to be shared with all of the users on a network. Using NFS, users wouldn't need to know where the particular data resided in order to navigate and use it. Instead, NFS would make it appear that all of the data resided on a single, fictitious machine.

What's wrong with NFS service in SFU 2.0?
The NFS implementation in SFU 2.0 contains a memory leak that can be triggered by a particular type of request to the service.

What's a memory leak?
A memory leak is a condition that occurs when a program doesn't properly return memory to the operating system after it's done using it. One of the chief purposes of an operating system is to broker resources like memory among competing programs. When a program needs memory to carry out an operation, the operating system provides it; when the program no longer needs it, it should release the memory so the operating system can allocate it to another program.
A memory leak occurs when a programming flaw prevents the program from returning the memory when it's done using it. Rather than being made available to the operating system again, the memory remains allocated to the other program even though it's no longer using it. If the leak occurs enough times, it can deplete the pool of available memory on the server to the point where the server becomes unresponsive or fails altogether.

What would this vulnerability enable an attacker to do?
An attacker could exploit this vulnerability as a means of preventing the system from providing useful service to other users. Not only would the memory leak prevent the NFS service from operating, it would slow the overall performance of the system and could potentially cause it to fail altogether.

What would be required in order to resume normal service?
The administrator would need to reboot the machine in order to free the memory and resume normal operation.

Would the vulnerability allow the attacker to take any more serious action?
No. Even though the vulnerability involves the NFS service, it wouldn't put any of the data in the file system at risk. The attacker could not use the vulnerability to compromise any of the data, nor to gain any privileges on the system.

Does the vulnerability affect any versions of SFU other than SFU 2.0?
No. It only affects the NFS service in SFU 2.0

How does the patch eliminate the vulnerability?
The patch causes the NFS service in SFU 2.0 to correctly release all memory when it's finished using it.

What's the scope of the second vulnerability?
The is a denial of service vulnerability. The scope of this vulnerability is similar to that of the vulnerability discussed above:

What causes the vulnerability?
The vulnerability results because the Telnet service in SFU 2.0 contains a memory leak that could be used to slow the performance of the system or cause it fail altogether.

Are there any differences between this vulnerability and the one affecting the NFS service?
No. This vulnerability has exactly the same cause, effect, and remediation as the one affecting the NFS service in SFU 2.0. The sole difference lies in the specific services involved in the vulnerabilities.

Does this vulnerability affect the Telnet server that ships in Windows NT 4.0 or Windows 2000?
No. Both Windows NT 4.0 and Windows 2000 ship with a native Telnet server, which is completely different from the one included in SFU 2.0. Neither are affected by this vulnerability.

How does the patch eliminate this vulnerability?
The patch eliminates the vulnerability by removing the memory leak condition and ensuring that all memory is returned to the system when no longer needed.

Download locations for this patch

Installation platforms:

This patch can be installed on systems running Services for Unix 2.0 on the following operating systems:

•	Windows NT 4.0 Service Pack 6a
•	Windows 2000 Service Pack 1 or Service Pack 2.

Inclusion in future service packs:

The fix for this issue will be included in Services for Unix 3.0.

Reboot needed: Yes

Superseded patches:

None.

Verifying patch installation:

NFS patch:

•	To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Services for UNIX\Hotfix\Q294380.
•	To verify the individual files, consult the file manifest in Knowledge Base article Q294380.

Telnet patch:

•	To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Services for UNIX\Hotfix\Q301514.
•	To verify the individual files, consult the file manifest in Knowledge Base article Q301514.

Caveats:

None

Localization:

Services for Unix 2.0 was only released in English and Japanese. These language versions are available from the download locations listed in the section titled "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

•	Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
•	Patches for consumer platforms are available from the WindowsUpdate web site.

Top of section