ammar_secret
12-22-2003, 10:19 PM
Systems Affected
Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4
Microsoft Windows XP
Microsoft Windows XP Service Pack 1
Microsoft Windows XP 64-Bit Edition
Overview
A buffer overflow vulnerability exists in Microsoft's Windows Workstation Service (WKSSVC.DLL).
A remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service.
II. Impact
A remote attacker could exploit this vulnerability to execute arbitrary code with system-level privileges or to cause a denial of service. The exploit vector and impact for this vulnerability are conducive to automated attacks such as worms
Restrict access
You may wish to block access from outside your network perimeter, specifically by blocking access to TCP & UDP ports 138, 139, and 445. This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate.
The CERT/CC has confirmed that one exploit connects to TCP port 445 on the victim machine to exploit this vulnerability. Once exploitation is successful, it then listens on TCP port 4444. You may wish to monitor for this and other open ports as an indication of exploitation.
Disable the Workstation Service
Depending on site requirements, you may wish to disable the Workstation Service as described in MS03-049. Disabling the Workstation Service will help protect against this vulnerability, but may also cause undesirable side effects. According to the Microsoft's Security Bulletin, the impacts of disabling the Workstation Service are as follows:
"If the Workstation service is disabled, the system cannot connect to any shared file resources or shared print resources on a network. Only use this workaround on stand-alone systems (such as many home systems) that do not connect to a network. If the Workstation service is disabled, any services that explicitly depend on the Workstation service do not start, and an error message is logged in the system event log. The following services depend on the Workstation service:
Alerter
Browser
Messenger
Net Logon
RPC Locator
These services are required to access resources on a network and to perform domain authentication. Internet connectivity and browsing for stand-alone systems, such as users on dial-up connections, on DSL connections, or on cable modem connections, should not be affected if these services are disabled.
Note: The Microsoft Baseline Security Analyzer will not function if the Workstation service is disabled. It is possible that other applications may also require the Workstation service. If an application requires the Workstation service, simply re-enable the service. This can be performed by changing the Startup Type for the Workstation service back to Automatic and restarting the system."
Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4
Microsoft Windows XP
Microsoft Windows XP Service Pack 1
Microsoft Windows XP 64-Bit Edition
Overview
A buffer overflow vulnerability exists in Microsoft's Windows Workstation Service (WKSSVC.DLL).
A remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service.
II. Impact
A remote attacker could exploit this vulnerability to execute arbitrary code with system-level privileges or to cause a denial of service. The exploit vector and impact for this vulnerability are conducive to automated attacks such as worms
Restrict access
You may wish to block access from outside your network perimeter, specifically by blocking access to TCP & UDP ports 138, 139, and 445. This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate.
The CERT/CC has confirmed that one exploit connects to TCP port 445 on the victim machine to exploit this vulnerability. Once exploitation is successful, it then listens on TCP port 4444. You may wish to monitor for this and other open ports as an indication of exploitation.
Disable the Workstation Service
Depending on site requirements, you may wish to disable the Workstation Service as described in MS03-049. Disabling the Workstation Service will help protect against this vulnerability, but may also cause undesirable side effects. According to the Microsoft's Security Bulletin, the impacts of disabling the Workstation Service are as follows:
"If the Workstation service is disabled, the system cannot connect to any shared file resources or shared print resources on a network. Only use this workaround on stand-alone systems (such as many home systems) that do not connect to a network. If the Workstation service is disabled, any services that explicitly depend on the Workstation service do not start, and an error message is logged in the system event log. The following services depend on the Workstation service:
Alerter
Browser
Messenger
Net Logon
RPC Locator
These services are required to access resources on a network and to perform domain authentication. Internet connectivity and browsing for stand-alone systems, such as users on dial-up connections, on DSL connections, or on cable modem connections, should not be affected if these services are disabled.
Note: The Microsoft Baseline Security Analyzer will not function if the Workstation service is disabled. It is possible that other applications may also require the Workstation service. If an application requires the Workstation service, simply re-enable the service. This can be performed by changing the Startup Type for the Workstation service back to Automatic and restarting the system."