1. /
  2. Security Response/
  3. Microsoft Windows WINS Name Value Handling Remote Buffer Overflow Vulnerability

Microsoft Windows WINS Name Value Handling Remote Buffer Overflow Vulnerability

Risk

High

Date Discovered

December 14, 2004

Description

The WINS server contains a buffer-overflow vulnerability that can allow attackers to corrupt WINS process memory. The issue occurs because the software fails to perform sufficient boundary checks on computer 'name' data that is handled during a WINS transaction. Ultimately, a WINS client may exploit this issue remotely to execute arbitrary code with SYSTEM-level privileges on a target WINS server. The service may be exposed via TCP/UDP port 42 by default, but the vendor has stated that other attack vectors may exist (though none are known at this time).

Technologies Affected

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows 2000 Advanced Server SP3
  • Microsoft Windows 2000 Advanced Server SP4
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Datacenter Server SP1
  • Microsoft Windows 2000 Datacenter Server SP2
  • Microsoft Windows 2000 Datacenter Server SP3
  • Microsoft Windows 2000 Datacenter Server SP4
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Server SP3
  • Microsoft Windows 2000 Server SP4
  • Microsoft Windows NT Enterprise Server 4.0
  • Microsoft Windows NT Enterprise Server 4.0 SP1
  • Microsoft Windows NT Enterprise Server 4.0 SP2
  • Microsoft Windows NT Enterprise Server 4.0 SP3
  • Microsoft Windows NT Enterprise Server 4.0 SP4
  • Microsoft Windows NT Enterprise Server 4.0 SP5
  • Microsoft Windows NT Enterprise Server 4.0 SP6
  • Microsoft Windows NT Enterprise Server 4.0 SP6a
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Server 4.0 SP1
  • Microsoft Windows NT Server 4.0 SP2
  • Microsoft Windows NT Server 4.0 SP3
  • Microsoft Windows NT Server 4.0 SP4
  • Microsoft Windows NT Server 4.0 SP5
  • Microsoft Windows NT Server 4.0 SP6
  • Microsoft Windows NT Server 4.0 SP6a
  • Microsoft Windows NT Terminal Server 4.0
  • Microsoft Windows NT Terminal Server 4.0 SP1
  • Microsoft Windows NT Terminal Server 4.0 SP2
  • Microsoft Windows NT Terminal Server 4.0 SP3
  • Microsoft Windows NT Terminal Server 4.0 SP4
  • Microsoft Windows NT Terminal Server 4.0 SP5
  • Microsoft Windows NT Terminal Server 4.0 SP6
  • Microsoft Windows Server 2003 Datacenter Edition
  • Microsoft Windows Server 2003 Datacenter Edition Itanium
  • Microsoft Windows Server 2003 Datacenter Edition Itanium SP1 Beta 1
  • Microsoft Windows Server 2003 Datacenter Edition SP1 Beta 1
  • Microsoft Windows Server 2003 Enterprise Edition
  • Microsoft Windows Server 2003 Enterprise Edition Itanium
  • Microsoft Windows Server 2003 Enterprise Edition Itanium SP1 Beta 1
  • Microsoft Windows Server 2003 Enterprise Edition SP1 Beta 1
  • Microsoft Windows Server 2003 Standard Edition
  • Microsoft Windows Server 2003 Standard Edition SP1 Beta 1
  • Microsoft Windows Server 2003 Web Edition
  • Microsoft Windows Server 2003 Web Edition SP1 Beta 1

Recommendations

Block external access at the network boundary, unless external parties require service.

Deploy network access controls to regulate network traffic from untrusted or external networks and hosts. This may include blocking external access to the WINS service, which listens on TCP/UDP port 42 by default.

Deploy network intrusion detection systems to monitor network traffic for malicious activity.

Deploy network intrusion detection systems to monitor network traffic for signs of suspicious or anomalous activity. This may aid in detecting attacks as well as help in detecting malicious activities that are performed as a result of exploitation.
Microsoft has released updates to address this vulnerability in supported versions of the Windows operating system.

Credits

This vulnerability was reported to Microsoft by Kostya Kortchinsky.
Copyright © Symantec Corporation.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Threat Intelligence

Subscribe
Follow the Threat Intelligence Twitter feed
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver