Software Engineering Institute

Microsoft Server Service

MS06-040 includes the following information:

The Server service provides RPC support, file print support and named pipe sharing over the network. The Server service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. It also allows named pipe communication between applications running on other computers and your computer, which is used for RPC.
Microsoft Remote Procedure Call (MS RPC) and Server Message Block (SMB)

RPC provides a mechanism that allows a program to execute a procedure on a remote system in a way that is transparent to the calling program. MS RPC is the Microsoft implementation of RPC. Windows services that use MS RPC may use SMB named pipes as the transport service for MS RPC calls.

The Problem

A stack-based buffer overflow exists in the Microsoft Server service. If a remote attacker sends a specially crafted packet to a vulnerable Windows system, that attacker may be able to trigger the buffer overflow.

Note that we have received reports that this vulnerability is actively being exploited.

More information, including a list of affected versions of Windows, is available in Microsoft Security Bulletin MS06-040. We have confirmed that this vulnerability affects Windows NT4. However, according to Microsoft Security Bulletin MS06-040:

Windows NT Workstation 4.0 Service Pack 6a, Windows NT Server 4.0 Service Pack 6a, Windows 2000 Service Pack 2, and Windows 2000 Service Pack 3 have reached the end of their support life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.
Windows NT4 users should observe the workarounds below as well as the recommendations in the Microsoft Windows NT 4.0 and Windows 98 Threat Mitigation Guide.

A remote, unauthenticated attacker may be able to execute arbitrary code with SYSTEM privileges.

Apply a patch from Microsoft

Microsoft addresses this vulnerability with the updates listed in Microsoft Security Bulletin MS06-040.

Microsoft has released a new version of Security Bulletin MS06-040 and the associated security updates. The new version corrects the problem described in Microsoft Knowledge Base Article 921883. Programs that request large amounts of contiguous memory running on Windows Server 2003 SP1 and Windows XP Professional x64 Edition systems with the previous version of the MS06-040 update installed could crash.

Until a patch can be applied, the following actions may reduce the chances of exploitation:

Block or Restrict Access

Block access to SMB services (139/tcp, 445/tcp) from untrusted networks such as the Internet.

Restrict anonymous access

Restrict anonymous SMB access. See Microsoft Knowledge Base Article 246261 for information about configuring anonymous access in Windows 2000. Note this will not prevent authenticated users from exploiting this vulnerability, and may have adverse affects in mixed-mode domains. Anonymous SMB access to SAM accounts is restricted in Windows XP and Windows Server 2003 by default.

Other workarounds are available in Microsoft Security Bulletin MS06-040.