Date Discovered 17 March 2003
Description The Windows library ntdll.dll includes a function that does not perform sufficient bounds checking. The vulnerability is present in the function "RtlDosPathNameToNtPathName_U" and may be exploited through other programs that use the library if an attack vector permits it. One of these programs is the implementation of WebDAV that ships with IIS 5.0. The vector allows for the vulnerability in ntdll.dll to be exploited by a remote attacker.
Several other library functions which call the vulnerable ntdll.dll procedure have been identified. Administrators are advised to patch as other attack vectors are likely to surface.
** Microsoft has revised its advisory to state that this vulnerability affects Windows NT systems. As Windows NT does not support WebDAV, exploits using WebDAV as the attack vector will not be effective against Windows NT systems. Windows XP does not also include WebDAV by default, but other attack vectors may be possible, especially in cases where the attacker has interactive access to the system. WebDAV may be installed by a user on Windows XP with IIS 5.1, so WebDAV may be a possible means of exploitation in these circumstances.
** Reports suggest that numerous hosts have been scanned in an attempt to exploit this vulnerability. Although unconfirmed, this may be the result of a system of automated attacks.
** It has been reported that this vulnerability is also present in the "RtlGetFullPathName_U" function. The supplied Microsoft patch (Q815021) also corrects this function.
** It has been reported that the W32.Welchia.Worm, described in MCID 1811, is actively exploiting this vulnerability.
Block external access at the network boundary, unless external parties require service. Block access to services at the edge of the network if they are not required by external users.
Deploy network intrusion detection systems to monitor network traffic for malicious activity. Exploitation attempts may be captured by IDS logs. Examine logs regularly for signs of attempted exploitation.
Remove any unnecessary default programs that operate with privileges.
Remove any IIS components that are not absolutely required to operate the webserver.
Some reports indicate that the Microsoft patches for this issue may cause problems. It is not known if this is the result of the patches conflicting with certain configurations. Administrators are advised to apply workaround procedures if problems are experienced after applying the patch.
Microsoft has updated the bulletin with information regarding possible sources of conflicts with this patch. For precise details, see the Caveats section under Additional information about this patch in the Microsoft Security Bulletin.
Microsoft has revised its advisory to state that this vulnerability affects Windows NT systems. As Windows NT does not support WebDAV, exploits using WebDAV as the attack vector will not be effective against Windows NT systems.
Microsoft has released a new revision of the advisory which contains patches for Windows XP.
Microsoft has released fixes:
Credits Announced by the vendor.
Copyright © Symantec Corporation.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from firstname.lastname@example.org
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and email@example.com
are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.