Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Vulnerability in Network Connection Manager Allows DoS (MS05-045)

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Vulnerability in Network Connection Manager Allows DoS (MS05-045)
Date: 12 Oct 2005 09:42:13 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Vulnerability in Network Connection Manager Allows DoS (MS05-045)
------------------------------------------------------------------------


SUMMARY

A denial of service vulnerability exists that could allow an attacker to 
send a specially crafted network packet to an affected Windows system. An 
attacker who successfully exploited this vulnerability could cause the 
component responsible for managing network and remote access connections 
to stop responding. If the affected component is stopped due to an attack, 
it will automatically restart when new requests are received.

DETAILS

Affected Software:
 * Microsoft Windows 2000 Service Pack 4 -  
<http://www.microsoft.com/downloads/details.aspx?FamilyId=92C5A89F-89E5-4A33-ACD6-4F42AE921681>
 Download the update
 * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service 
Pack 2 -  
<http://www.microsoft.com/downloads/details.aspx?FamilyId=19569E67-6D99-41FC-9457-44EC524F6106>
 Download the update
 * Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service 
Pack 1 -  
<http://www.microsoft.com/downloads/details.aspx?FamilyId=143B0289-6E60-4918-A46C-B0BE2131C7AF>
 Download the update

Non-Affected Software:
 * Microsoft Windows XP Professional x64 Edition
 * Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft 
Windows Server 2003 with SP1 for Itanium-based Systems
 * Microsoft Windows Server 2003 x64 Edition
 * Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and 
Microsoft Windows Millennium Edition (ME)

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2307> 
CAN-2005-2307

Mitigating Factors for Network Connection Manager Vulnerability:
 * On Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1, 
the affected component is not vulnerable remotely. An attacker must have 
valid logon credentials and be able to log on locally to exploit this 
vulnerability.

 * On Windows 2000, Windows XP Service Pack 1, and Windows Server 2003, an 
attacker must have valid logon credentials to exploit this vulnerability. 
The vulnerability could not exploited by anonymous users. However, the 
affected component is available remotely to users who have standard user 
accounts. In certain configurations, anonymous users could authenticate as 
the Guest account. For more information, see Microsoft Security Advisory  
<http://www.microsoft.com/technet/security/advisory/906574.mspx> 906574.

 * Firewall best practices and standard default firewall configurations 
can help protect networks from attacks that originate outside the 
enterprise perimeter. Best practices recommend that systems that are 
connected to the Internet have a minimal number of ports exposed.


Workarounds for Network Connection Manager Vulnerability:
 * Block the following at the enterprise perimeter firewall:
  o UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593
  o All unsolicited inbound traffic on ports greater than 1024
  o Any other specifically configured RPC port
  o If installed, COM Internet Services (CIS) or RPC over HTTP, which 
listen on ports 80 and 443

These ports could be used to initiate a connection with affected systems. 
Blocking them at the firewall will help prevent systems that are behind 
that firewall from attempts to exploit this vulnerability that originate 
outside the enterprise perimeter. Also, make sure that you block any other 
specifically configured RPC port on the remote system. We recommend that 
you block all unsolicited inbound communication from the Internet to help 
prevent attacks that may use other ports. For more information about ports 
that RPC uses, visit the following Web site. For more information about 
how to disable CIS, see Microsoft Knowledge Base Article  
<http://support.microsoft.com/kb/825819> 825819.

What is the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who successfully 
exploited this vulnerability could cause the component responsible for 
managing network and remote access connections to stop responding. If the 
affected component is stopped due to an attack, it will automatically 
restart when new requests are received. Note that the denial of service 
vulnerability would not allow an attacker to execute code or to elevate 
their user rights, but it could cause the affected system to stop 
accepting requests.

What causes the vulnerability?
An unchecked buffer in the Network Connection Manager.

What is Network Connection Manager?
The Network Connection Manager is an operating system component that 
provides a means of controlling a system's network connections, such as 
those seen in the Network and Dial-Up Connections folder. When a user 
makes a new network connection, such as through the dial-up networking 
wizard, the Network Connection Manager processes the request to make the 
connection.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could cause the 
component responsible for managing network and remote access connections 
to stop responding. If the affected component is stopped due to an attack, 
it will automatically restart when new requests are received.

Who could exploit the vulnerability?
On Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1, the 
affected component is not vulnerable remotely. An attacker must have valid 
logon credentials and be able to log on locally to exploit this 
vulnerability. On Windows 2000, Windows XP Service Pack 1, and Windows 
Server 2003, an attacker must have valid logon credentials to exploit this 
vulnerability. The vulnerability could not be exploited by anonymous 
users. However, remote authenticated users could attempt to exploit this 
vulnerability. In certain configurations, anonymous users could 
authenticate as the Guest account. For more information, see Microsoft 
Security Advisory  
<http://www.microsoft.com/technet/security/advisory/906574.mspx> 906574.

How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by creating a specially 
crafted request and sending the request to the affected component. If the 
affected component is stopped due to an attack, it will automatically 
restart when new requests are received.

What systems are primarily at risk from the vulnerability?
Windows 2000, Windows XP Service Pack 1 and Windows Server 2003 systems 
are primarily at risk from this vulnerability. Servers could be at more 
risk if users who do not have sufficient administrative permissions are 
given the ability to log on to servers and to run programs. However, best 
practices strongly discourage allowing this.

Could the vulnerability be exploited over the Internet?
No. An attacker must be able to authenticate to the specific system that 
is targeted for attack. An attacker cannot load and run a program remotely 
by using this vulnerability.

What does the update do?
The update removes the vulnerability by modifying the way that the Network 
Connection Manager validates the length of a message before it passes the 
message to the allocated buffer.

When this security bulletin was issued, had this vulnerability been 
publicly disclosed?
Yes. This vulnerability has been publicly disclosed and was previously 
assigned Common Vulnerability and Exposure number CAN-2005-2307.

When this security bulletin was issued, had Microsoft received any reports 
that this vulnerability was being exploited?
No. Microsoft had seen examples of proof of concept code published 
publicly but had not received any information to indicate that this 
vulnerability had been publicly used to attack customers when this 
security bulletin was originally issued.

Does applying this security update help protect customers from the code 
that has been published publicly that attempts to exploit this 
vulnerability?
Yes. This security update addresses the proof of concept code that has 
been published that attempts to exploit this issue. The vulnerability that 
has been addressed has been assigned the Common Vulnerability and Exposure 
number CAN-2005-2307.


ADDITIONAL INFORMATION

The information has been provided by Microsoft Product Security.
The original article can be found at:  
<http://www.microsoft.com/technet/security/bulletin/MS05-045.mspx> 
http://www.microsoft.com/technet/security/bulletin/MS05-045.mspx



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Vulnerability in Network Connection Manager Allows DoS (MS05-045), SecuriTeam <=
Previous by Date:  [NT] Windows FTP Client Allows File Transfer Location Tampering (MS05-044), SecuriTeam
Next by Date:  [NT] Vulnerability in DirectShow Allows Remote Code Execution (MS05-050), SecuriTeam
Previous by Thread:  [NT] Windows FTP Client Allows File Transfer Location Tampering (MS05-044), SecuriTeam
Next by Thread:  [NT] Vulnerability in DirectShow Allows Remote Code Execution (MS05-050), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]