1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. OS Attack: MS ASN1 Integer TCP Overflow CVE-2003-0818

OS Attack: MS ASN1 Integer TCP Overflow CVE-2003-0818

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects an attempts to exploit an integer overflow in Microsoft's Abstract Syntx Notation1.

Additional Information

Microsoft Windows Abstract Syntax Notation 1 (ASN.1) handling Library (MSASN1.dll) is shipped as a part of the Microsoft Windows Operating System. The MSASN1 library provides an application programmer's interface for Microsoft ASN.1 encoding/decoding and processing functions.

Microsoft ASN.1 handling library has been reported prone to an integer overflow vulnerability that may result in arbitrary heap-based memory corruption. The issue presents itself in the ASN.1 BER decoding/encoding routines, specifically in the ASN1BERDecBitString() function. ASN1BERDecBitString() handles constructed bit strings by concatenating each of the simple bit strings that comprise the compound one. The integer overflow occurs when a bit string is processed and the number of bits in the bit string is added to the cumulative total as follows:
lea eax, [ecx+eax+7]

This may provide a conduit for an attacker to trigger a boundary condition error. When the first bit string processed by ASN1BERDecBitString possesses a specified signed length of 0xfffffff9(-7), then the aforementioned arithmetic (ecx+eax+7) sums the accumulated bits (0) with the signed length of the bit string (-7). The rounding value (+7) is then added to the total. This will result in a total assigned length of zero.

It has been reported that this value is then further processed by the DecMemReAlloc() function call, and ultimately results in a zero-byte chunk being allocated on the heap. The original bit string lengths are passed to the function ASN1bitcpy(). This function later performs a memcpy() operation to copy supplied bit string data into the zero-byte allocated heap based buffer. This operation will result in the corruption of heap based management structures, and may ultimately be leveraged by an attacker to have arbitrary code executed in the context of the affected process.

This vulnerability is exposed in a number of security related operating system components, including Kerberos (via UDP port 88), Microsoft IIS with SSL support enabled and NTLMv2 authentication (via TCP ports 135, 139 and 445). Other components may also be affected, though a comprehensive list is not available at this time. Client applications which use the library will be affected, including LSASS.EXE and CRYPT32.DLL (and any application that relies on CRYPT32.DLL). The vulnerable library is used frequently in components that handle certificates such as Internet Explorer and Outlook. Handling of signed ActiveX components could also present an exposure.

It should be noted that because ASN.1 data will likely be encoded, for example Kerberos, SSL, IPSec or Base64 encoded, the malicious integer values may be obfuscated and as a result not easily detectable.

This vulnerability was originally covered in BID 9626, but further information has been made available which identifies a number of distinct vulnerabilities in the library and so this specific issue has been assigned an individual BID.

Affected

  • Adobe Acrobat 5.0, 5.0.5, 6.0
  • Altova xmlspy Enterprise Edition 2004, 2004 R2
  • Altova xmlspy Home Edition 2004, 2004 R2
  • Altova xmlspy Professional Edition 2004, 2004 R2
  • AOL Instant Messenger 5.0.2938, 5.1.3036, 5.2.3292, 5.5.3415 Beta
  • Intuit Quicken 2003
  • Intuit TurboTax 2003
  • JASC Software PaintShop Pro 5.0, 5.0 1, 5.0 3, 6.0, 6.0 1, 6.0 2, 7.0, 7.0 1, 7.0 2, 7.0 4, 8.0, 8.0 1, 8.10
  • Microsoft Windows 2000 Advanced Server SP1, SP2, SP3, SP4
  • Microsoft Windows 2000 Professional SP1, SP2, SP3, SP4
  • Microsoft Windows 2000 Server SP1, SP2, SP3, SP4
  • Microsoft Windows 98
  • Microsoft Windows 98SE
  • Microsoft Windows NT Server 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a
  • Microsoft Windows NT Terminal Server 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6
  • Microsoft Windows NT Workstation 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a
  • Microsoft Windows Server 2003 Datacenter Edition
  • Microsoft Windows Server 2003 Datacenter Edition Itanium
  • Microsoft Windows Server 2003 Enterprise Edition
  • Microsoft Windows Server 2003 Enterprise Edition Itanium
  • Microsoft Windows Server 2003 Standard Edition
  • Microsoft Windows Server 2003 Web Edition
  • Microsoft Windows XP 64-bit Edition SP1
  • Microsoft Windows XP 64-bit Edition Version 2003 SP1
  • Microsoft Windows XP Home SP1
  • Microsoft Windows XP Professional SP1
  • Musicmatch Inc. Musicmatch Jukebox 8.0, 8.1, 8.2
  • Van Dyke Technologies SecureCRT 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5
  • Yahoo! Messenger 5.5, 5.5.1249, 5.6, 5.6.0.1347, 5.6.0.1351, 5.6.0.1355, 5.6.0.1356, 5.6.0.1358

Response

It has been alleged that an official patch to address this issue in Microsoft Windows 98 systems is available to customers who possess a current support contract with Microsoft. Customers are advised to contact their relative Microsoft TAM, in order to obtain a relevant patch.

Microsoft has released a security update (MS04-007) to address this issue in affected versions of Microsoft Windows. Users are strongly advised to obtain fixes as soon as possible.


Microsoft Windows 2000 Advanced ServerSP2:
Microsoft Upgrade Security Update for Windows 2000: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=191853C4-A4D2-4797-A8C6-A2E663A53698&displaylang=en

Microsoft Windows 2000 Advanced ServerSP3:
Microsoft Upgrade Security Update for Windows 2000: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=191853C4-A4D2-4797-A8C6-A2E663A53698&displaylang=en

Microsoft Windows 2000 Advanced ServerSP4:
Microsoft Upgrade Security Update for Windows 2000: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=191853C4-A4D2-4797-A8C6-A2E663A53698&displaylang=en

Microsoft Windows 2000 ProfessionalSP2 :
Microsoft Upgrade Security Update for Windows 2000: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=191853C4-A4D2-4797-A8C6-A2E663A53698&displaylang=en

Microsoft Windows 2000 ProfessionalSP3 :
Microsoft Upgrade Security Update for Windows 2000: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=191853C4-A4D2-4797-A8C6-A2E663A53698&displaylang=en

Microsoft Windows 2000 ProfessionalSP4:
Microsoft Upgrade Security Update for Windows 2000: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=191853C4-A4D2-4797-A8C6-A2E663A53698&displaylang=en

Microsoft Windows 2000 ServerSP2:
Microsoft Upgrade Security Update for Windows 2000: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=191853C4-A4D2-4797-A8C6-A2E663A53698&displaylang=en

Microsoft Windows 2000 ServerSP3:
Microsoft Upgrade Security Update for Windows 2000: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=191853C4-A4D2-4797-A8C6-A2E663A53698&displaylang=en

Microsoft Windows 2000 ServerSP4 :
Microsoft Upgrade Security Update for Windows 2000: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=191853C4-A4D2-4797-A8C6-A2E663A53698&displaylang=en

Microsoft Windows NT Server 4.0SP6a:
Microsoft Upgrade Security Update for Windows NT Server 4.0: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=E8315430-90CD-4B20-8F54-58527932B588&displaylang=en

Microsoft Windows NT Terminal Server 4.0SP6:
Microsoft Upgrade Security Update for Windows NT Server Terminal Server Edition: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=D83B39D3-FF13-4D0B-B406-A225AED0D659&displaylang=en

Microsoft Windows NT Workstation 4.0SP6a:
Microsoft Upgrade Security Update for Windows NT Workstation 4.0: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=92400199-B3D5-4826-98D4-F134849F5249&displaylang=en

Microsoft Windows Server 2003 Datacenter Edition:
Microsoft Upgrade Security Update for Windows Server 2003: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=3D7FFFF9-A497-42FF-90E7-283732B2E117&displaylang=en

Microsoft Windows Server 2003 Datacenter Edition 64-bit:
Microsoft Upgrade Security Upd for Windows Server 2003 64-bit Edition/Windows XP 64-bit Edition Version 2003:KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=FA280168-66E1-4B5F-958F-E178C3F61F7C&displaylang=en

Microsoft Windows Server 2003 Enterprise Edition:
Microsoft Upgrade Security Update for Windows Server 2003: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=3D7FFFF9-A497-42FF-90E7-283732B2E117&displaylang=en

Microsoft Windows Server 2003 Enterprise Edition 64-bit:
Microsoft Upgrade Security Upd for Windows Server 2003 64-bit Edition/Windows XP 64-bit Edition Version 2003:KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=FA280168-66E1-4B5F-958F-E178C3F61F7C&displaylang=en

Microsoft Windows Server 2003 Standard Edition :
Microsoft Upgrade Security Update for Windows Server 2003: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=3D7FFFF9-A497-42FF-90E7-283732B2E117&displaylang=en

Microsoft Windows Server 2003 Web Edition:
Microsoft Upgrade Security Update for Windows Server 2003: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=3D7FFFF9-A497-42FF-90E7-283732B2E117&displaylang=en

Microsoft Windows XP 64-bit Edition:
Microsoft Upgrade Security Update for Windows XP 64-Bit Edition: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=383C397F-9318-4AD5-9C2C-0577118A1E68&displaylang=en

Microsoft Windows XP 64-bit EditionSP1:
Microsoft Upgrade Security Update for Windows XP 64-Bit Edition: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=383C397F-9318-4AD5-9C2C-0577118A1E68&displaylang=en

Microsoft Windows XP 64-bit Edition Version 2003:
Microsoft Upgrade Security Upd for Windows Server 2003 64-bit Edition/Windows XP 64-bit Edition Version 2003:KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=FA280168-66E1-4B5F-958F-E178C3F61F7C&displaylang=en

Microsoft Windows XP 64-bit Edition Version 2003SP1:
Microsoft Upgrade Security Upd for Windows Server 2003 64-bit Edition/Windows XP 64-bit Edition Version 2003:KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=FA280168-66E1-4B5F-958F-E178C3F61F7C&displaylang=en

Microsoft Windows XP Home:
Microsoft Upgrade Security Update for Windows XP: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=0CC30297-D4AE-48E9-ACD0-1343D89CCBBA&displaylang=en

Microsoft Windows XP HomeSP1:
Microsoft Upgrade Security Update for Windows XP: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=0CC30297-D4AE-48E9-ACD0-1343D89CCBBA&displaylang=en

Microsoft Windows XP Professional:
Microsoft Upgrade Security Update for Windows XP: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=0CC30297-D4AE-48E9-ACD0-1343D89CCBBA&displaylang=en

Microsoft Windows XP ProfessionalSP1:
Microsoft Upgrade Security Update for Windows XP: KB828028
http://www.microsoft.com/downloads/details.aspx?FamilyId=0CC30297-D4AE-48E9-ACD0-1343D89CCBBA&displaylang=en
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube