Microsoft Security Bulletin MS03-024

Technical description:

Subsequent to the original release of this bulletin Microsoft extended the support of Windows NT Workstation 4.0 and Windows 2000 Service Pack 2. The existing Windows NT 4.0 Server security update will install successfully on Windows NT 4.0 Workstation and is officially supported on that operating system version. A security update is now available from Microsoft Product Support Services for customers running Windows 2000 Service Pack 2. Contact Microsoft Product Support Services to obtain the Windows 2000 Service Pack 2 security update

Server Message Block (SMB) is the Internet Standard protocol that Windows uses to share files, printers, serial ports, and to communicate between computers using named pipes and mail slots. In a networked environment, servers make file systems and resources available to clients. Clients make SMB requests for resources, and servers make SMB responses in what's described as a client server request-response protocol.

A flaw exists in the way that the server validates the parameters of an SMB packet. When a client system sends an SMB packet to the server system, it includes specific parameters that provide the server with a set of "instructions." In this case, the server is not properly validating the buffer length established by the packet. If the client specifies a buffer length that is less than what is needed, it can cause the buffer to be overrun.

By sending a specially crafted SMB packet request, an attacker could cause a buffer overrun to occur. If exploited, this could lead to data corruption, system failure, or-in the worst case-it could allow an attacker to run the code of their choice. An attacker would need a valid user account and would need to be authenticated by the server to exploit this flaw.

Mitigating factors: 

Severity Rating: 

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0345 

Tested Versions:

Microsoft tested Windows NT Workstation 4.0, Windows NT Server 4.0, Windows NT Server 4.0, Terminal Services Edition, Windows 2000, Windows XP and Windows Server 2003 to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Why has Microsoft updated this bulletin?
Subsequent to the original release of this bulletin Microsoft extended the support of Windows NT Workstation 4.0 and Windows 2000 Service Pack 2. The existing Windows NT 4.0 Server security update will install successfully on Windows NT 4.0 Workstation and is officially supported on that operating system version. A security update is now available from Microsoft Product Support Services for customers running Windows 2000 Service Pack 2. Contact Microsoft Product Support Services to obtain the Windows 2000 Service Pack 2 security update.

What's the scope of the vulnerability?
This is a buffer overrun vulnerability that could lead to data corruption, system failure or allow an attacker to run the code of their choice.
To successfully exploit this flaw, an attacker would have to first be authenticated by the server. By default, it is not possible to exploit this flaw anonymously.

What causes the vulnerability?
The vulnerability results because of insufficient validation by the system of the buffer size for certain incoming SMB packets. SMB is a client to server based protocol and when the client system sends an SMB command to the server, it should validate the parameters set in the packet and respond accordingly.
In the case of this flaw, the recipient system doesn't validate the buffer size necessary before responding. This could cause a buffer overrun which could lead to data corruption, system failure or allow an attacker to run the code of their choice.

What is SMB?
SMB (Server Message Block)-and its follow-on, Common Internet File System (CIFS)-is the Internet Standard protocol that Windows uses to share files, printers, serial ports, and also to communicate between computers using named pipes and mail slots. In a networked environment, servers make file systems and resources available to clients. Clients make SMB requests for resources and servers make SMB responses in what is described as a client server, request-response protocol.

Does this vulnerability affect CIFS as well?
Common Internet File System (CIFS) is an Internet Standard protocol. The vulnerability described here resides specifically in Microsoft's implementation of the protocol and not the protocol itself.

What's wrong with Microsoft's implementation of the protocol?
There is a flaw in the way that the server validates the parameters of an SMB packet. When a client system sends an SMB packet to the server system, it includes specific parameters that provide the server with a set of "instructions." In this case, the server does not properly validate the buffer length established by the packet. If the client specifies a buffer length less than what is needed, it can cause the buffer to be overrun. This could result in random data being written to memory, which could cause data corruption or system failure, or it could also allow an attacker to run the code of their choice.

What could this vulnerability enable an attacker to do?
If an attacker were able to successfully exploit this vulnerability, they could cause random areas of memory to be overwritten. The resulting effect of this could be data corruption, system failure or allow an attacker to run the code of their choice.

What sort of data would be corrupted?
Essentially, any data in memory could be randomly overwritten. In the worst case, system memory could be overwritten causing the server to fail.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by creating a specifically malformed SMB packet and sending it to the server. The attacker would first require a valid user name and password to be authenticated by the server. By default, there is no means to anonymously exploit this vulnerability.

What does the patch do?
The patch eliminates the vulnerability by implementing proper validation of the parameters set on SMB packets.

Download locations for this patch

Note Customers running Windows 2000 Service Pack 2 should contact Microsoft Product Support Services to obtain this additional security update

Installation platforms:

This patch can be installed on systems running:

•	Windows NT 4.0: The Windows NT 4.0 patch can be installed on systems running Windows NT 4.0 Workstation Service Pack 6a or Windows NT Server 4.0 Service Pack 6a.
•	Windows NT Server 4.0, Terminal Server Edition: The Windows NT Server 4.0, Terminal Server Edition patch can be installed on systems running Windows NT Server 4.0, Terminal Server Edition Service Pack 6.
•	Windows 2000: The Windows 2000 patch can be installed on systems running Windows 2000 Service Pack 3.
•	Windows XP: The patch for Windows XP can be installed on systems running Windows XP Gold or Windows XP Service Pack 1.

Note Customers running Windows 2000 Service Pack 2 should contact Microsoft Product Support Services to obtain this additional security update

Inclusion in future service packs:

•	The fix for this issue is included in Windows 2000 Service Pack 4.
•	The fix for this issue will be included in Windows XP Service Pack 2.

Reboot needed: Yes

Patch can be uninstalled: Yes

Superseded patches: None.

Verifying patch installation: 

•	Windows NT Workstation 4.0 or Windows NT Server 4.0: To verify that the patch has been installed on the machine, confirm that all files listed in the file manifest in Knowledge Base article 817606 are present on the system.
•	Windows NT Server 4.0, Terminal Server Edition: To verify that the patch has been installed on the machine, confirm that all files listed in the file manifest in Knowledge Base article 817606 are present on the system.
•	Windows 2000: To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q817606. To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q817606\Filelist.
•	Windows XP: • If installed on Windows XP Gold: To verify that the patch has been installed, confirm that the following registry key has been created on the machine: HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q817606. To verify the individual files, use the date/time and version information provided in the following registry key: HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q817606\Filelist. • If installed on Windows XP Service Pack 1: To verify that the patch has been installed, confirm that the following registry key has been created on the machine: HKLM\Software\Microsoft\Updates\Windows XP\SP2\Q817606. To verify the individual files, use the date/time and version information provided in the following registry key: HKLM\Software\Microsoft\Updates\Windows XP\SP2\Q817606\Filelist.

Caveats:

None

Localization:

Localized versions of this patch are available at the locations discussed in "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

•	Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
•	Patches for consumer platforms are available from the WindowsUpdate web site

Top of section