1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. OS Attack: MS RPC Network DDE CVE-2004-0206

OS Attack: MS RPC Network DDE CVE-2004-0206

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects an attempt to overflow a buffer in the NetDDE service by sending an unusually large request.

Additional Information

Microsoft Windows NetDDE is affected by a remote buffer overflow vulnerability. This issue is due to a failure of the application to properly verify the lengths of strings contained within unspecified network messages prior to copying them into finite buffers.

It should be noted that NetDDE is not activated by default on Windows computers.

An attacker may leverage this issue to execute arbitrary code on an affected computer with SYSTEM privileges. It is also noted that in some circumstances, where NetDDE services have been installed but not started, local attackers might exploit this issue to gain elevated privileges since it may be possible for an unprivileged user to start the services.

The Microsoft Windows Network Dynamic Data Exchange (NetDDE) service is designed to facilitate communication between applications over a network. This technology has been replaced by the Distributed Component Object Model (DCOM) and is present on Windows computers to support legacy software; as such it is not enabled by default.

The problem presents itself when the affected service receives a malicious network message. Apparently, the process attempts to parse the malicious message and fails, facilitating the buffer overflow. The information currently available is insufficient to provide a more in-depth technical description. This BID will be updated as more details are released.

Affected

  • Avaya DefinityOne Media Servers
  • Avaya IP600 Media Servers
  • Avaya Modular Messaging (MSS) 1.1, 2.0
  • Avaya S3400 Message Application Server
  • Avaya S8100 Media Servers
  • Microsoft Windows 2000 Advanced Server SP1, SP2, SP3, SP4
  • Microsoft Windows 2000 Datacenter Server SP1, SP2, SP3, SP4
  • Microsoft Windows 2000 Professional SP1, SP2, SP3, SP4
  • Microsoft Windows 2000 Server SP1, SP2, SP3, SP4
  • Microsoft Windows NT 4.0, 4.0 alpha, 4.0 SP1, 4.0 SP1 alpha, 4.0 SP2, 4.0 SP2 alpha, 4.0 SP3, 4.0 SP3 alpha, 4.0 SP4, 4.0 SP4 alpha, 4.0 SP5, 4.0 SP5 alpha, 4.0 SP6, 4.0 SP6 alpha, 4.0 SP6a, 4.0 SP6a alpha
  • Microsoft Windows NT Enterprise Server 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a
  • Microsoft Windows NT Server 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a
  • Microsoft Windows NT Terminal Server 4.0, 4.0 alpha, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a
  • Microsoft Windows Server 2003 Datacenter Edition
  • Microsoft Windows Server 2003 Datacenter Edition Itanium
  • Microsoft Windows Server 2003 Enterprise Edition
  • Microsoft Windows Server 2003 Enterprise Edition Itanium
  • Microsoft Windows Server 2003 Standard Edition
  • Microsoft Windows Server 2003 Web Edition
  • Microsoft Windows XP 64-bit Edition SP1
  • Microsoft Windows XP 64-bit Edition Version 2003 SP1
  • Microsoft Windows XP Home SP1
  • Microsoft Windows XP Media Center Edition SP1
  • Microsoft Windows XP Professional SP1

Response

Microsoft has released a bulletin that includes fixes to address this issue for supported versions of the operating system.

Workarounds:
This issue can be eliminated by disabling NetDDE services through Administrative Tools and Group Policy settings. See the referenced Microsoft Security Bulletin for more information.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube