● Overflow in Windows Workstation Service - 荔园在线 | 深圳大学学生论坛,荔园晨风BBS,深大在线网站

荔园之美，在春之萌芽，在夏之绽放，在秋之收获，在冬之沉淀

发信人: hellsolaris (qq), 信区: Security
标题: Overflow in Windows Workstation Service
发信站: 荔园晨风BBS站 (Sun Nov 16 19:32:34 2003)

CERT® Advisory CA-2003-28 Buffer Overflow in Windows Workstation Service

Original release date: November 11, 2003
Last revised: --
Source: CERT/CC

A complete revision history is at the end of this file.

Systems Affected
Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4
Microsoft Windows XP
Microsoft Windows XP Service Pack 1
Microsoft Windows XP 64-Bit Edition

Overview
A buffer overflow vulnerability exists in Microsoft's Windows Workstation Serv
ice (WKSSVC.DLL).

A remote attacker could exploit this vulnerability to execute arbitrary code o
r cause a denial of service.

I. Description
Microsoft's Security Bulletin MS03-049 discusses a buffer overflow in Microsof
t's Workstation Service that can be exploited via a specially crafted network
message.

According to the eEye Digital Security Advisory AD20031111, the vulnerability
is caused by a flaw in the network management functions of the DCE/RPC service
and a logging function implemented in Workstation Service (WKSSVC.DLL). Vario
us RPC functions will permit the passing of long strings to the vsprintf() rou
tine that is used to create log entries. The vsprintf() routine contains no bo
unds checking for parameters thus creating a buffer overflow situation.

The CERT/CC is tracking this issue as VU#567620. This reference number corresp
onds to CVE candidate CAN-2003-0812.

II. Impact
A remote attacker could exploit this vulnerability to execute arbitrary code w
ith system-level privileges or to cause a denial of service. The exploit vecto
r and impact for this vulnerability are conducive to automated attacks such as
worms.

III. Solution
Apply a patch from your vendor
Apply the appropriate patch as specified in Microsoft Security Bulletin MS03-0
49.

Appendix A contains additional information provided by vendors for this adviso
ry. As vendors report new information to the CERT/CC, we will update this sect
ion and note the changes in our revision history. If a particular vendor is no
t listed below or in the individual vulnerability notes, we have not received
their comments. Please contact your vendor directly.

Restrict access
You may wish to block access from outside your network perimeter, specifically
by blocking access to TCP & UDP ports 138, 139, and 445. This will limit your
exposure to attacks. However, blocking at the network perimeter would still a
llow attackers within the perimeter of your network to exploit the vulnerabili
ty. It is important to understand your network's configuration and service req
uirements before deciding what changes are appropriate.

Disable the Workstation Service
Depending on site requirements, you may wish to disable the Workstation Servic
e as described in MS03-049. Disabling the Workstation Service will help protec
t against this vulnerability, but may also cause undesirable side effects. Acc
ording to the Microsoft's Security Bulletin, the impacts of disabling the Work
station Service are as follows:

"If the Workstation service is disabled, the system cannot connect to any shar
ed file resources or shared print resources on a network. Only use this workar
ound on stand-alone systems (such as many home systems) that do not connect to
a network. If the Workstation service is disabled, any services that explicit
ly depend on the Workstation service do not start, and an error message is log
ged in the system event log. The following services depend on the Workstation
service:
Alerter
Browser
Messenger
Net Logon
RPC Locator
These services are required to access resources on a network and to perform do
main authentication. Internet connectivity and browsing for stand-alone system
s, such as users on dial-up connections, on DSL connections, or on cable modem
connections, should not be affected if these services are disabled.

Note: The Microsoft Baseline Security Analyzer will not function if the Workst
ation service is disabled. It is possible that other applications may also req
uire the Workstation service. If an application requires the Workstation servi
ce, simply re-enable the service. This can be performed by changing the Startu
p Type for the Workstation service back to Automatic and restarting the system
."

Appendix A. - Vendor Information
This appendix contains information provided by vendors for this advisory. As v
endors report new information to the CERT/CC, we will update this section and
note the changes in our revision history. If a particular vendor is not listed
below or in the individual vulnerability notes, we have not received their co
mments.

Microsoft Corporation
Microsoft has released MS03-049.

------------------------------------------------------------------------------
--
This vulnerability was discoved by eEye Digital Security and reported in Micro
soft Security Bulletin MS03-049.
------------------------------------------------------------------------------
--

Author: Jason A Rafail.

------------------------------------------------------------------------------
--
This document is available from: http://www.cert.org/advisories/CA-2003-28.htm
l
--

※ 来源:．荔园晨风BBS站 http://bbs.szu.edu.cn [FROM: 61.144.235.39]

荔园在线首页友情链接：深圳大学深大招生荔园晨风BBS S-Term软件网络书店