Microsoft Windows DHCP Server Remote Buffer Overflow Vulnerability

Risk
High

Date Discovered
12-14-2004

Description
Microsoft Windows DHCP server on NT 4 server platforms is reported susceptible to a remote buffer overflow vulnerability. This issue is due to insufficient bounds checking of user-supplied network data.

This vulnerability allows remote attackers to execute arbitrary code in the context of the affected service. The DHCP server is running with administrative privileges, allowing remote attackers to gain administrative access, or to crash the affected service, denying service to legitimate users. This may allow attackers to interrupt network services to an entire network.

It is noted that the service is not installed by default.

Symantec Enterprise Security Manager
Symantec Enterprise Security Manager™ posted an update to the OS Patch Policy that detects and reports systems that are not patched against this vulnerability. Click here for the advisory released December 15, 2004.

Symantec Vulnerability Assessment
Symantec Vulnerability Assessment detects and reports this vulnerability. Click here for the advisory released December 16, 2004.

Symantec Network Security 7100
As of December 15, 2004, users of Symantec Network Security 7100 can update to Security Update 6 to detect attempts to exploit this vulnerability. Click here for more information. This update is available via LiveUpdate.

Platforms Affected
Avaya DefinityOne Media Servers
Avaya IP600 Media Servers
Avaya S8100 Media Servers
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Server 4.0
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP6a
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP6a

Components Affected
Microsoft Windows NT 4.0 SP6a alpha
Microsoft Windows NT 4.0 SP6a
Microsoft Windows NT 4.0 SP6 alpha
Microsoft Windows NT 4.0 SP6
Microsoft Windows NT 4.0 SP5 alpha
Microsoft Windows NT 4.0 SP5
Microsoft Windows NT 4.0 SP4 alpha
Microsoft Windows NT 4.0 SP4
Microsoft Windows NT 4.0 SP3 alpha
Microsoft Windows NT 4.0 SP3 alpha
Microsoft Windows NT 4.0 SP3
Microsoft Windows NT 4.0 SP2 alpha
Microsoft Windows NT 4.0 SP2
Microsoft Windows NT 4.0 SP1 alpha
Microsoft Windows NT 4.0 SP1
Microsoft Windows NT 4.0 alpha
Microsoft Windows NT 4.0
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows NT Server 4.0 SP6a
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0 alpha
Microsoft Windows NT Terminal Server 4.0

Recommendations
Block external access at the network boundary, unless service is required by external parties.
Access to the affected service should be filtered at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of exploitation. This includes blocking UDP ports 67 and 68 at the perimeter.

Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy network intrusion detection software to monitor network activity. Network traffic should be monitored for malformed DHCP packets.

Microsoft has released updates to address this vulnerability in supported versions of the Windows operating system.
Microsoft Windows NT 4.0 SP6a alpha:
Microsoft Windows NT 4.0 SP6a:
Microsoft Windows NT 4.0 SP6 alpha:
Microsoft Windows NT 4.0 SP6:
Microsoft Windows NT 4.0 SP5 alpha:
Microsoft Windows NT 4.0 SP5:
Microsoft Windows NT 4.0 SP4 alpha:
Microsoft Windows NT 4.0 SP4:
Microsoft Windows NT 4.0 SP3 alpha:
Microsoft Windows NT 4.0 SP3 alpha:
Microsoft Windows NT 4.0 SP3:
Microsoft Windows NT 4.0 SP2 alpha:
Microsoft Windows NT 4.0 SP2:
Microsoft Windows NT 4.0 SP1 alpha:
Microsoft Windows NT 4.0 SP1:
Microsoft Windows NT 4.0 alpha:
Microsoft Windows NT 4.0:
Microsoft Windows NT Enterprise Server 4.0 SP6a:
Microsoft Windows NT Enterprise Server 4.0 SP6:
Microsoft Windows NT Enterprise Server 4.0 SP5:
Microsoft Windows NT Enterprise Server 4.0 SP4:
Microsoft Windows NT Enterprise Server 4.0 SP3:
Microsoft Windows NT Enterprise Server 4.0 SP2:
Microsoft Windows NT Enterprise Server 4.0 SP1:
Microsoft Windows NT Enterprise Server 4.0:
Microsoft Windows NT Server 4.0 SP6a:

Microsoft Patch Security Update for Windows NT Server 4.0 (KB885249)
http://www.microsoft.com/downloads/details.aspx?familyid=7CC7F82D-F2A2-49AA-BF33-897498898EAD&displaylang=en

Microsoft Patch Security Update for Windows NT Server 4.0, Terminal Server Edition (KB885249)
http://www.microsoft.com/downloads/details.aspx?familyid=69F3259F-3004-462C-B2A8-37F65EB78A2D&displaylang=en

References
Source: Microsoft Security Bulletin MS04-042
URL: http://www.microsoft.com/technet/security/bulletin/ms04-042.mspx

Credits
Kostya Kortchinsky is credited for the disclosure of this vulnerability.

Copyright (c) 2009 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.