Vulnerability in WINS Allows Remote Code Execution (MS04-045, Name Validation, Association Context)
15 Dec. 2004
Summary
This update resolves several newly-discovered, public and privately reported vulnerabilities. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
Affected Software:
* Microsoft Windows NT Server 4.0 Service Pack 6a - Download the update
* Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 - Download the update
* Microsoft Windows 2000 Server Service Pack 3 and Microsoft Windows 2000 Server Service Pack 4 - Download the update
* Microsoft Windows Server 2003 - Download the update
* Microsoft Windows Server 2003 64-Bit Edition - Download the update
Non-Affected Software:
* Microsoft Windows 2000 Professional Service Pack 3 and Microsoft Windows 2000 Professional Service Pack 4
* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
* Microsoft Windows XP 64-Bit Edition Service Pack 1
* Microsoft Windows XP 64-Bit Edition Version 2003
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
Name Validation Vulnerability:
A remote code execution vulnerability exists in WINS because of the way that it handles computer name validation. An attacker could exploit the vulnerability by constructing a malicious network packet that could potentially allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Mitigating Factors for Name Validation Vulnerability:
* Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
* By default, WINS is not installed on Windows NT Server 4.0, on Windows NT Server 4.0 Terminal Server Edition, on Windows 2000 Server, or on Windows Server 2003. By default, WINS is installed and running on Microsoft Small Business Server 2000 and on Microsoft Windows Small Business Server 2003.
* However, by default, on all versions of Microsoft Small Business Server, the WINS component communication ports are blocked from the Internet and WINS is available only on the local network.
* On Windows Server 2003, attempts to exploit this vulnerability would most likely result in a denial of service. The WINS service automatically restarts if it fails. After the third automatic restart, WINS requires a manual restart to restore functionality.
Workarounds for Name Validation Vulnerability:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
* Block TCP port 42 and UDP port 42 at your firewall.
These ports are used to initiate a connection with a remote WINS server. Blocking these ports at the firewall will help prevent systems that are behind that firewall from being attacked by attempts to exploit this vulnerability. It is possible that other ports may be found that could be used to exploit this vulnerability. The ports that are listed are the most common attack vectors. We recommend blocking all inbound unsolicited communication from the Internet.
* Remove WINS if you do not need it.
In many organizations, WINS only provides services for legacy systems. If WINS is no longer needed, you could remove it by following this procedure. These steps apply only to Windows 2000 and later versions. For Windows NT 4.0, follow the procedure that is included in the product documentation.
To configure WINS components and services:
1. Click Start, and then click Control Panel, open Add or Remove Programs.
2. In the default Category View, click Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. On the Windows Components Wizard page, under Components, click Networking Services, and then click Details.
5. Click to clear the Windows Internet Naming Service (WINS) check box to remove WINS.
6. Complete the Windows Components Wizard by following the instructions on the screen.
Impact of Workaround:
Many organizations require WINS to perform name registration and name resolution functions on their network. Administrators should not remove WINS unless they fully understand the affect that doing this will have on their network. For more information about WINS, see the WINS product documentation. Also, if an administrator is removing the WINS functionality from a server that will continue to provide shared resources on the network, the administrator must correctly reconfigure the system to use the remaining name resolution services within the local network. For more information about WINS visit the following Microsoft Web site. For more information about how to determine if you need NETBIOS or WINS name resolution and DNS configuration, visit the following Microsoft Web site.
* On Windows 2000 Server and Windows Server 2003, use IPSec communication to secure traffic between WINS server replication partners.
Use Internet Protocol Security (IPSec) to help protect network communications. For detailed information about how to use IPSec to help protect WINS from this issue, see Microsoft Knowledge Base Article 890710.
Detailed information about IPSec and how to apply filters is available in Microsoft Knowledge Base Article 313190 and Microsoft Knowledge Base Article 813878.
Impact of Workaround:
If you set up IPSec incorrectly, you may cause serious WINS replication problems on your corporate network. For additional information about IPSec security considerations, visit the following Microsoft Web site.
FAQ for Name Validation Vulnerability: What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
On Windows Server 2003, the most likely attack scenario is a denial of service. An attacker who successfully exploited this vulnerability could cause WINS to fail on Windows Server 2003. On Windows Server 2003, WINS restarts automatically when it fails. After the third automatic restart, WINS requires a manual restart to restore functionality. Restarting WINS allows the service to function correctly. However, WINS could remain vulnerable to another denial of service attack.
What causes the vulnerability?
An unchecked buffer in the method that WINS uses to validate the Name value in a specially-crafted packet.
The possibility of a denial of service on Windows Server 2003 results from the presence of a security feature that was used in the development of Windows Server 2003. This security feature detects when an attempt is made to exploit a stack-based buffer overrun and reduces the chance that it can be easily exploited. This security feature can be forced to terminate the service to prevent malicious code execution. On Windows Server 2003, when an attempt is made to exploit the buffer overrun, the security feature reacts and terminates the service. This results in a denial of service condition of WINS. Because it is possible that methods may be found in the future to bypass this security feature, which could then enable code execution, customers should apply the update. For more information about these security features, visit the following Web site.
What is the Windows Internet Naming Service?
The Windows Internet Naming Service (WINS) maps IP addresses to NetBIOS computer names and vice versa. By using WINS servers, individuals can search for resources by computer name instead of by IP address. The benefits of WINS include the following:
* Reduces NetBIOS-based broadcast traffic on subnets by permitting clients to query WINS servers to locate remote systems.
* Supports earlier Windows and NetBIOS-based clients on the network by permitting them to browse lists for remote Windows domains without requiring a local domain controller on each subnet.
* Supports Domain Name System (DNS)-based clients by enabling those clients to locate NetBIOS resources when WINS lookup integration is implemented.
For more information about WINS, see the WINS product documentation.
How do I know if I use WINS on my server?
By default, WINS is not installed on Windows NT Server 4.0, on Windows NT Server 4.0 Terminal Server Edition, on Windows 2000 Server, or on Windows Server 2003. By default, WINS is installed and running on Microsoft Small Business Server 2000 and on Microsoft Windows Small Business Server 2003. You can determine if WINS is installed by following this procedure. These steps apply only to Windows 2000 and later versions. For Windows NT 4.0, follow the procedure that is included in the product documentation.
To verify WINS components and services:
1. Click Start, and then click Control Panel, open Add or Remove Programs.
2. In the default Category View, click Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. On the Windows Components Wizard page, under Components, click Networking Services, and then click Details.
5. The Windows Internet Naming Service (WINS) check box indicates if WINS is installed.
6. Click cancel several times to exit Add/Remove Windows Components.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system. The vulnerability, if exploited, could allow an attacker to cause WINS on Windows Server 2003 to stop responding to all requests.
Who could exploit the vulnerability?
Any anonymous user who could deliver a specially-crafted message to WINS on an affected server could attempt to exploit this vulnerability. Any user who could establish a connection with an affected system by using the affected ports could attempt to exploit this vulnerability.
How could an attacker exploit this vulnerability?
An attacker could attempt to exploit this vulnerability by creating a specially-crafted network message and by sending the message to the affected system. On Windows Server 2003, receipt of such a message could cause the service to fail causing a denial of service.
What systems are primarily at risk from the vulnerability?
Only Windows systems that have been configured as WINS servers are vulnerable. Windows 2000 Professional and Windows XP cannot be configured as WINS servers. Therefore, these operating systems are not affected by this vulnerability.
Could the vulnerability be exploited over the Internet?
Yes. An attacker could attempt to exploit this vulnerability over the Internet. Firewall best practices and standard default firewall configurations can help protect against attacks that originate from the Internet. Microsoft has provided information about how you can help protect your PC. IT Professionals can visit the Security Guidance Center Web site.
What does the update do?
The update eliminates the vulnerability by changing the method that WINS uses to validate the name value before it passes the value to the allocated buffer.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information indicating that this vulnerability had been publicly disclosed when this security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information indicating that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
How does this vulnerability relate to the WINS Vulnerability that is corrected by MS04-006?
Both vulnerabilities were in WINS. However, this update addresses a new vulnerability that was not addressed as part of MS04-006. MS04-006 helps protect against the vulnerability that is discussed in that bulletin, but does not address this new vulnerability. This update replaces MS04-006. You may install this update to help protect your system against both vulnerabilities.
Association Context Vulnerability:
A remote code execution vulnerability exists in WINS because of the way that it handles association context validation. An attacker could exploit the vulnerability by constructing a malicious network packet that could potentially allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, attempts to exploit this vulnerability would most likely result in a denial of service on Windows Server 2003. The service would have to be restarted to restore functionality.
Mitigating Factors for Association Context Vulnerability:
Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
* By default, WINS is not installed on Windows NT Server 4.0, on Windows NT Server 4.0 Terminal Server Edition, on Windows 2000 Server, or on Windows Server 2003. By default, WINS is installed and running on Microsoft Small Business Server 2000 and on Microsoft Windows Small Business Server 2003.
However, by default, on all versions of Microsoft Small Business Server, the WINS component communication ports are blocked from the Internet and WINS is available only on the local network.
* On all affected operating systems, attempts to exploit this vulnerability would most likely result in a denial of service. On Windows Server 2003, the WINS service automatically restarts if it fails. After the third automatic restart, WINS requires a manual restart to restore functionality.
Workarounds for Association Context Vulnerability:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
* Block TCP port 42 and UDP port 42 at your firewall.
These ports are used to initiate a connection with a remote WINS server. Blocking these ports at the firewall will help prevent systems that are behind that firewall from being attacked by attempts to exploit this vulnerability. It is possible that other ports may be found that could be used to exploit this vulnerability. The ports that are listed are the most common attack vectors. We recommend blocking all inbound unsolicited communication from the Internet.
* Remove WINS if you do not need it.
In many organizations, WINS only provides services for legacy systems. If WINS is no longer needed, you could remove it by following this procedure. These steps apply only to Windows 2000 and later versions. For Windows NT 4.0, follow the procedure that is included in the product documentation.
To configure WINS components and services:
1. Click Start, and then click Control Panel, open Add or Remove Programs.
2. In the default Category View, click Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. On the Windows Components Wizard page, under Components, click Networking Services, and then click Details.
5. Click to clear the Windows Internet Naming Service (WINS) check box to remove WINS.
6. Complete the Windows Components Wizard by following the instructions on the screen.
Impact of Workaround:
Many organizations require WINS to perform name registration and name resolution functions on their network. Administrators should not remove WINS unless they fully understand the affect that doing this will have on their network. For more information about WINS, see the WINS product documentation. Also, if an administrator is removing the WINS functionality from a server that will continue to provide shared resources on the network, the administrator must correctly reconfigure the system to use the remaining name resolution services within the local network. For more information about WINS visit the following Microsoft Web site. For more information about how to determine if you need NETBIOS or WINS name resolution and DNS configuration, visit the following Microsoft Web site.
* On Windows 2000 Server and Windows Server 2003, use IPSec communication to secure traffic between WINS server replication partners.
Use Internet Protocol Security (IPSec) to help protect network communications. For detailed information about how to use IPSec to help protect WINS from this issue, see HYPERLINK "http://support.microsoft.com/kb/890710"Microsoft Knowledge Base Article 890710.
Detailed information about IPSec and how to apply filters is available in Microsoft Knowledge Base Article 313190 and Microsoft Knowledge Base Article 813878.
Impact of Workaround:
If you set up IPSec incorrectly, you may cause serious WINS replication problems on your corporate network. For additional information about IPSec security considerations, visit the following Microsoft Web site.
FAQ for Association Context Vulnerability: What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. On Windows Server 2003, the most likely attack scenario is a denial of service. On Windows Server 2003 WINS restarts automatically when it fails. After the third automatic restart, WINS requires a manual restart to restore functionality. Restarting WINS allows the service to function correctly. However, WINS would remain vulnerable to another denial of service attack.
What causes the vulnerability?
The method used by WINS to validate association context data.
What is the Windows Internet Naming Service?
The Windows Internet Naming Service (WINS) maps IP addresses to NetBIOS computer names and vice versa. By using WINS servers, individuals can search for resources by computer name instead of by IP address. The benefits of WINS include the following:
* Reduces NetBIOS-based broadcast traffic on subnets by permitting clients to query WINS servers to locate remote systems.
* Supports earlier Windows and NetBIOS-based clients on the network by permitting them to browse lists for remote Windows domains without requiring a local domain controller on each subnet.
* Supports Domain Name System (DNS)-based clients by enabling those clients to locate NetBIOS resources when WINS lookup integration is implemented.
For more information about WINS, see the WINS product documentation.
How do I know if I use WINS on my server?
By default, WINS is not installed on Windows NT Server 4.0, on Windows NT Server 4.0 Terminal Server Edition, on Windows 2000 Server, or on Windows Server 2003. By default, WINS is installed and running on Microsoft Small Business Server 2000 and on Microsoft Windows Small Business Server 2003. You can determine if WINS is installed by following this procedure. These steps apply only to Windows 2000 and later versions. For Windows NT 4.0, follow the procedure that is included in the product documentation.
To verify WINS components and services:
1. Click Start, and then click Control Panel, open Add or Remove Programs.
2. In the default Category View, click Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. On the Windows Components Wizard page, under Components, click Networking Services, and then click Details.
5. The Windows Internet Naming Service (WINS) check box indicates if WINS is installed.
6. Click cancel several times to exit Add/Remove Windows Components.
What is the association context?
The association context is a data structure that WINS maintains to store connection information about WINS replication partners.
What is wrong with the way that WINS validates the association context?
It is possible for an attacker to send a specially-crafted packet that has invalid association context data. WINS uses this data without completely validating it. This leads to a condition that most likely results in the WINS service failing.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system. However, the most likely result could allow an attacker to cause WINS to stop responding to all requests on Windows Server 2003.
Who could exploit the vulnerability?
Any anonymous user who could deliver a specially-crafted message to WINS on an affected server could attempt to exploit this vulnerability. Any user who could establish a connection with an affected system by using the affected ports could attempt to exploit this vulnerability.
How could an attacker exploit this vulnerability?
An attacker could attempt to exploit this vulnerability by creating a specially-crafted network message and by sending the message to the affected system. Receipt of such a message could cause the service, most likely, to fail causing a denial of service.
What systems are primarily at risk from the vulnerability?
Only Windows systems that have been configured as WINS servers are vulnerable. Windows 2000 Professional and Windows XP cannot be configured as WINS servers. Therefore, these operating systems are not affected by this vulnerability.
Could the vulnerability be exploited over the Internet?
Yes. An attacker could attempt to exploit this vulnerability over the Internet. Firewall best practices and standard default firewall configurations can help protect against attacks that originate from the Internet. Microsoft has provided information about how you can help protect your PC. IT Professionals can visit the Security Guidance Center Web site.
What does the update do?
The update eliminates the vulnerability by changing the method that WINS uses to validate the association context before use.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CAN-2004-1080. However, Microsoft also received information about this vulnerability through responsible disclosure and that researcher has received acknowledgment in this security bulletin.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had seen examples of proof of concept code published publicly but had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.
Does applying this security update help protect customers from the code that has been published publicly that attempts to exploit this vulnerability?
Yes. This security update addresses the vulnerability that is currently being exploited. The vulnerability that has been addressed has been assigned the Common Vulnerability and Exposure number CAN-2004-1080.
How does this vulnerability relate to the WINS Vulnerability that is corrected by MS04-006?
Both vulnerabilities were in WINS. However, this update addresses a new vulnerability that was not addressed as part of MS04-006. MS04-006 helps protect against the vulnerability that is discussed in that bulletin, but does not address this new vulnerability. This update replaces MS04-006. You may install this update to help protect your system against both vulnerabilities.
