search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Microsoft Windows Workstation service vulnerable to buffer overflow when sent specially crafted network message

Vulnerability Note VU#567620

Original Release Date: 2003-11-11 | Last Revised: 2003-11-12

Overview

A remotely exploitable vulnerability affects Microsoft Windows Systems. Exploitation of this vulnerability could permit the execution of arbitrary code on the system with elevated privileges. The exploit vector for this vulnerability is highly conducive to a worm or other automated exploit.

Description

A buffer overflow vulnerability exists in the Microsoft Workstation service. A remote attacker that can send a specially-crafted network message to the vulnerable system could exploit this vulnerability to execute arbitrary code with system privileges.

According to the Microsoft Bulletin, MS03-049, the following systems are affected:

    • Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4
    • Microsoft Windows XP, Microsoft Windows XP Service Pack 1
    • Microsoft Windows XP 64-Bit Edition

According to the Microsoft Bulletin, MS03-049, the following systems are NOT affected:
    • Microsoft Windows NT Workstation 4.0, Service Pack 6a
    • Microsoft Windows NT Server 4.0, Service Pack 6a
    • Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6
    • Microsoft Windows Millennium Edition
    • Microsoft Windows XP 64-Bit Edition Version 2003
    • Microsoft Windows Server 2003
    • Microsoft Windows Server 2003 64-Bit Edition

Note that a proof of concept exploit has been posted publicly.

Impact

Exploitation of this vulnerability could permit the execution of arbitrary code on the system with elevated privileges. The exploit vector for this vulnerability is highly conducive to a worm or other automated exploit.

Solution

Apply the appropriate update for your system:


As a note in the Microsoft Advisory:

Note: The Windows XP security updates that released on October 15th as part of Security Bulletin MS03-043 (828035) include the updated file that helps protect from this vulnerability. If you have applied the Windows XP security updates for MS03-043 (828035) you do not have to reapply this update. However, the Windows 2000 security update that is released as part of this security bulletin contains updated files that were not part of the MS03-043 (828035) security bulletin. Customers have to apply this Windows 2000 security update even if they applied the Windows 2000 security updates for MS03-043 (828035).

Note the following mitigation strategies from Microsoft's Advisory:

    • If users have blocked inbound UDP ports 138, 139, 445 and TCP ports 138, 139, 445 by using a firewall an attacker would be prevented from sending messages to the Workstation service. Most firewalls, including Internet Connection Firewall in Windows XP, block these ports by default.
    • Disabling the Workstation service will prevent the possibility of attack. However there are a number of impacts when performing this workaround. Please see the Workaround section for more details.
    • Only Windows 2000 and Window XP are affected. Other operating systems are not vulnerable to this attack.

Vendor Information

567620
 
Expand all

Microsoft Corporation Affected

Updated:  November 11, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see http://www.microsoft.com/technet/security/bulletin/MS03-049.asp.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This issue was reported by eEye Digital Security and published in the monthly Microsoft Security Bulletin.

This document was written by Jason A Rafail.

Other Information

CVE IDs: CVE-2003-0812
CERT Advisory: CA-2003-28
Severity Metric: 45.56
Date Public: 2003-11-11
Date First Published: 2003-11-11
Date Last Updated: 2003-11-12 16:00 UTC
Document Revision: 15

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis