Microsoft Security Bulletin MS01-043

Technical description:

The NNTP (Network News Transport Protocol) service in Windows NT 4.0, Windows 2000, and Exchange 2000 contains a memory leak in a routine that processes news postings. Each time such a posting is processed that contains a particular construction, the memory leak causes a small amount of memory to no longer be available for use. If an attacker sent a large number of posts, the server memory could be depleted to the point at which normal service would be disrupted. An affected server could be restored to normal service by stopping and starting the IISAdmin service.

Exchange 5.5 contains an NNTP service, but it is not affected by the vulnerability. Exchange 2000 does not ship a separate NNTP service; instead, if NNTP is enabled, the native Windows 2000 NNTP service is used. As a result, Exchange 2000 servers that offer NNTP services should have the Windows 2000 patch applied to them.

Mitigating factors: 

Vulnerability identifier: CAN-2001-0543 

Tested Versions:

Microsoft tested Windows NT 4.0, Windows 2000, Exchange 5.5 and Exchange 2000 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

What's the scope of this vulnerability?
This is a denial of service vulnerability. By repeatedly sending a news posting to an affected server, an attacker could degrade its performance, potentially to the point where the server would be unable to provide useful service.
The vulnerability would not enable an attacker to compromise any data on the server, or to usurp any privileges on the machine. The administrator of an affected system could restore normal service by stopping and restarting the affected system service.

What causes the vulnerability?
The vulnerability results because the NNTP service in Windows NT 4.0 and Windows 2000 contains a memory leak. If a sufficient quantity of posting containing a particular malformation were received, it could deplete the available memory to the point where the server would be incapable of performing useful work.

What's NNTP?
NNTP (Network News Transfer Protocol) is an industry-standard protocol that specifies a method for posting, distributing, searching and archiving news articles via Internet-based servers. The vulnerability results because the NNTP implementation in Windows NT 4.0 and Windows 2000 contains a memory leak that could be used to disrupt the NNTP service.

What's a memory leak?
A memory leak is an implementation error that depletes the available memory on a system. As a process on a computer runs, it may need more or less memory, depending on exactly what it is doing from one minute to the next. When the process needs more memory, it requests it from the operating system; when it no longer needs the additional memory, it should return it to the operating system so it can be allocated to other processes.
A memory leak occurs when a process doesn't correctly return memory to the operating system. Instead of becoming available for allocation to another process, the memory remains assigned to the process even though the process is no longer using it. This effectively makes the block of memory unavailable.

How does the memory leak happen in this case?
In the case of this vulnerability, the NNTP service has a memory leak that results when it processes a particular type of malformed news posting. Each time the service accepts such a posting, it requests memory from the operating system; however, it doesn't return the memory when it finishes handling the request.

What could an attacker do via this vulnerability?
An attacker could repeatedly send malformed news postings to an affected server in order to deplete its pool of available memory. As the server's memory pool was depleted, its performance would gradually slow. If the attack were sustained for a long enough period, the server could potentially be brought to a standstill and be unable to perform useful work.

Does the NNTP service run by default?
The answer varies by operating system.

If NNTP is installed and running, is it vulnerable? 
Yes.

Exchange 5.5 and 2000 also offer NNTP services. Are they affected? 
Exchange 5.5 is not affected by the vulnerability, as its implementation is independent of the ones in Windows NT 4.0 and Windows 2000 and doesn't contain the memory leak. On the other hand, Exchange 2000 uses the native Windows 2000 NNTP service, so if an Exchange 2000 server has been configured to provide NNTP services, it's affected by the vulnerability.

Would a successful attack via this vulnerability only disrupt NNTP services, or would other services on the system be affected as well?
Because the vulnerability depletes the memory pool that all services on the machine use, a successful attack via the vulnerability would affect the operation of all services on the machine, not just the terminal services. So, for instance, if the machine also hosted shared files, users might be unable to access them after the machine had been attacked.

Would this vulnerability enable the attacker to gain any privileges on the machine?
No. The sole effect of a successful attack via this vulnerability would be to prevent the server from operating normally. It wouldn't grant any privileges to the attacker, nor would it allow any data to be compromised.

How could an affected server be put back into service?
The server could be returned to normal service by stopping the IISAdmin service and restarting it.

Could this vulnerability be exploited from the Internet?
The vulnerability could be exploited by any user who could send postings to it. If the server accepts postings from the Internet, an Internet user could exploit the vulnerability.

I use Windows NT 4.0 Server, Terminal Server Edition. Could I be affected by this vulnerability?
No. The vehicle by which the NNTP service ships, the Windows NT 4.0 Option Pack, cannot be installed on terminal servers.

I visit news servers frequently from my home computer. Does this vulnerability affect me?
No. It only affects servers that offer NNTP services; it doesn't affect the client machines that visit them.

What does the patch do?
The patch eliminates the vulnerability by causing the NNTP service in Windows NT 4.0 and Windows 2000 to properly deallocate memory after processing a news posting.

Download locations for this patch

Installation platforms:

•	The Windows NT 4.0 patch can be installed on systems running Windows NT 4.0 Service Pack 6a.
•	The Windows 2000 patch can be installed on systems running Windows 2000 Service Pack 1 or Service Pack 2.

Inclusion in future service packs:

The fix for this issue will be included in Windows 2000 Service Pack 3 and Exchange 2000 Service Pack 2.

Reboot needed: Yes

Superseded patches: None.

Verifying patch installation:

Microsoft Windows NT 4.0:

•	To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q303984.
•	To verify the individual files, consult the file manifest in Knowledge Base article Q303984.

Microsoft Windows 2000:

•	To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q303984.
•	To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q303984\Filelist

Caveats:

None

Localization:

Localized versions of this patch are available at the locations discussed in "Obtaining other security patches".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

•	Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
•	Patches for consumer platforms are available from the WindowsUpdate web site.

Top of section