Vulnerability in the Windows Internet Naming Service (WINS) Could Allow Code Execution (MS04-006)
11 Feb. 2004
Summary
A security vulnerability exists in the Windows Internet Naming Service (WINS). This vulnerability exists because of the method that WINS uses to validate the length of specially-crafted packets. On Windows Server 2003 this vulnerability could allow an attacker who sent a series of specially-crafted packets to a WINS server to cause the service to fail. Most likely, this could cause a denial of service, and the service would have to be manually restarted to restore functionality.
The possibility of a denial of service on Windows Server 2003 results from the presence of a security feature that is used in the development of Windows Server 2003. This security feature detects when an attempt is made to exploit a stack-based buffer overrun and reduces the chance that it can be easily exploited. This security feature can be forced to terminate the service to prevent malicious code execution. On Windows Server 2003, when an attempt is made to exploit the buffer overrun, the security feature reacts and terminates the service. This results in a denial of service condition of WINS. Because it is possible that methods may be found in the future to bypass this security feature, which could then enable code execution, customers should apply the update. For more information about these security features, visit the following Web site.
On Windows NT and Windows 2000, the nature of the vulnerability is slightly different. WINS will reject the specially-crafted packet and the attack does not result in a denial of service. The vulnerability on these platforms also does not allow code execution. Microsoft is releasing a security update for these platforms that corrects the vulnerable code as a preventive measure to help protect these platforms in case methods are found in the future to exploit this vulnerability.
Affected Software:
* Microsoft Windows NT Server 4.0 Service Pack 6a - Download the update
* Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 - Download the update
* Microsoft Windows 2000 Server Service Pack 2, Microsoft Windows 2000 Server Service Pack 3, Microsoft Windows 2000 Server Service Pack 4 - Download the update
* Microsoft Windows Server 2003 - Download the update
* Microsoft Windows Server 2003 64-Bit Edition - Download the update
Non Affected Software:
* Microsoft Windows NT\x{00AE} Workstation 4.0 Service Pack 6a
* Microsoft Windows 2000 Professional Service Pack 2, Microsoft Windows 2000 Professional Service Pack 3, Microsoft Windows 2000 Professional Service Pack 4
* Microsoft Windows XP, Microsoft Windows XP Service Pack 1
* Microsoft Windows XP 64-Bit Edition, Microsoft Windows XP 64-Bit Edition Service Pack 1
* Microsoft Windows XP 64-Bit Edition Version 2003, Microsoft Windows XP 64-Bit Edition Version 2003 Service Pack 1
Mitigating factors:
* The WINS service is not installed by default.
* On Windows Server 2003, WINS automatically restarts if it fails. After the third automatic restart, WINS requires a manual restart to restore functionality.
* On Windows 2000 and Windows NT 4.0, WINS contains the vulnerable code. However, on these platforms this issue does not cause a denial of service
* The vulnerability would not enable an attacker to gain any privileges on an affected system. Under the most likely attack scenario, this issue is strictly a denial of service.
* Firewall best practices and standard default firewall configurations can help protect networks from remote attacks that originate outside the enterprise perimeter. Best practices recommend blocking all ports that are not being used. In most network configurations, the WINS server is not available for connection from over the Internet.
Workarounds:
Microsoft has tested the following workarounds. These workarounds will not correct the underlying vulnerability. However, they help block known attack vectors. Workarounds may reduce functionality in some cases; in such cases, the reduction in functionality is identified below.
1. Block TCP port 42 and UDP 137 at your firewall.
These ports are used to initiate a connection with a remote WINS server. Blocking these ports at the firewall will help prevent systems that are behind that firewall from being attacked by attempts to exploit this vulnerability. It is possible that other ports may be found that could be used to exploit this vulnerability. The ports that are listed are the most common attack vectors. Microsoft recommends blocking all inbound unsolicited communication from the Internet.
2. Remove WINS if you do not need it:
In many organizations, WINS only provides services for legacy systems. If WINS is no longer needed, you could remove it by following this procedure. These steps apply only to Windows 2000 and later. For Windows NT 4.0, follow the procedure that is included in the product documentation.
To configure WINS components and services:
1. In Control Panel, open Add or Remove Programs.
2. Click Add/Remove Windows Components.
3. On the Windows Components Wizard page, under Components, click Networking Services, and then click Details.
4. Click to clear the Windows Internet Naming Service (WINS) check box to remove WINS.
5. Complete the Windows Components Wizard by following the instructions on the screen.
Impact of Workaround:
Many organizations require WINS to perform name registration and name resolution functions on their network. Administrators should not remove WINS unless they fully understand the affect that doing so will have on their network. For more information about WINS, see the WINS product documentation. Also, if an administrator is removing the WINS functionality from a server that will continue to provide shared resources on the network, the administrator must correctly reconfigure the system to use the remaining name resolution services within the local network.
Frequently Asked Questions: What is the scope of the vulnerability?
Under the most likely attack scenario this is a denial of service vulnerability on Windows Server 2003. An attacker who successfully exploited this vulnerability could cause WINS to fail on Windows Server 2003. By default, WINS, restarts automatically when it fails in this manner. After the third automatic restart, WINS requires a manual restart to restore functionality. Restarting WINS will allow the service to function correctly. However, WINS would remain vulnerable to another denial of service attack.
On Windows NT and Windows 2000, the nature of the vulnerability is slightly different. WINS will reject the specially-crafted packet and the attack does not result in a denial of service. The vulnerability on these platforms also does not allow code execution. Microsoft is releasing a security update for these platforms that corrects the vulnerable code as a preventive measure to help protect these platforms in case methods are found in the future to exploit this vulnerability.
What causes the vulnerability?
This vulnerability exists because of the method that WINS users to validate the length of specially-crafted packets.
The possibility of a denial of service on Windows Server 2003 results from the presence of a security feature that is used in the development of Windows Server 2003. This security feature detects when an attempt is made to exploit a stack-based buffer overrun and reduces the chance that it can be easily exploited. This security feature can be forced to terminate the service to prevent malicious code execution. On Windows Server 2003, when an attempt is made to exploit the buffer overrun, the security feature reacts and terminates the service. This results in a denial of service condition of WINS. Because it is possible that methods may be found in the future to bypass this security feature, which could then enable code execution, customers should apply the update. For more information about these security features, visit the following Web site.
What is the Windows Internet Naming Service?
The Windows Internet Name Service (WINS) maps IP addresses to NetBIOS computer names and vice versa. By using WINS servers, individuals can search for resources by computer name instead of by IP address. The benefits of WINS include:
* Reduces NetBIOS-based broadcast traffic on subnets by permitting clients to query WINS servers to locate remote systems.
* Supports earlier Windows and NetBIOS-based clients on the network by permitting them to browse lists for remote Windows domains without requiring a local domain controller on each subnet.
* Supports Domain Name System (DNS) based clients by enabling those clients to locate NetBIOS resources when WINS lookup integration is implemented.
For more information about WINS, see the WINS product documentation.
What might an attacker use the vulnerability to do?
The vulnerability, if exploited, could allow an attacker to cause WINS on Windows Server 2003 to stop responding to all requests. On Windows NT 4.0 and Windows 2000 WINS will reject the specially-crafted packet and the attack does not result in a denial of service.
Who could exploit the vulnerability?
Any anonymous user who could deliver a specially-crafted message to WINS on an affected server could attempt to exploit this vulnerability. Any user who could establish a connection with an affected system by using the affected ports could attempt to exploit this vulnerability.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by creating a specially-crafted network message and by sending the message to the affected system. On Windows Server 2003, receipt of such a message could cause the service to fail causing a denial of service.
An attacker could also access the affected component through another vector, such as one that would involve logging onto the system interactively or by using another application that passed parameters to the vulnerable component (locally or remotely).
What systems are primarily at risk from the vulnerability?
Only Windows systems that have been configured as WINS servers are vulnerable. Windows NT 4.0 Workstation, Windows 2000 Professional, and Windows XP cannot be configured as WINS servers; therefore, these operating systems are not affected by this vulnerability.
What does the update do?
The update eliminates the vulnerability by changing the method that WINS uses to validate the length of a message before it passes the message to the allocated buffer.
