Microsoft Windows Locator Service Buffer Overflow Vulnerability
Risk
High
Date Discovered
01-22-2003
Description
It has been reported that the Microsoft Windows Locator service is affected by a remotely exploitable buffer overflow vulnerability. The condition is due to a memory copy of RPC arguments received from remote clients into a local buffer.
This vulnerability may be exploited by remote attackers to execute custom instructions on the target server. It is also possible to crash the service with a malicious request. It should be noted that, to exploit this vulnerability, no authentication is required. Additionally, the Locator service is enabled by default on all Windows 2000 and Windows NT Domain Controllers (DC).
Components Affected
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
Microsoft Windows 2000 Server Japanese Edition
Microsoft Windows 2000 Terminal Services SP3
Microsoft Windows 2000 Terminal Services SP2
Microsoft Windows 2000 Terminal Services SP1
Microsoft Windows 2000 Terminal Services
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows NT Server 4.0 SP6a
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Terminal Server 4.0 SP6a
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows XP 64-bit Edition
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Recommendations
Block external access at the network boundary, unless service is required by external parties.
Block unauthorized access to Domain Controllers at the network boundary.
Disable all unnecessary services.
Disable the Locator service unless it is absolutely required.
Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Configure firewalls to ignore, or block, unsolicted traffic to the Windows NetBIOS service on ports 138 and 139.
Note that there are multilingual versions of the fixes.
The following fixes are available:
Microsoft Windows 2000 Advanced Server SP3:
Microsoft Patch Q810833_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=33FF827A-D5DB-4F92-9DEF-4D91A140E0E0&displaylang=en
Microsoft Windows 2000 Advanced Server SP2:
Microsoft Patch Q810833_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=33FF827A-D5DB-4F92-9DEF-4D91A140E0E0&displaylang=en
Microsoft Windows 2000 Advanced Server SP1:
Microsoft Windows 2000 Advanced Server :
Microsoft Windows 2000 Datacenter Server SP3:
Microsoft Patch Q810833_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=33FF827A-D5DB-4F92-9DEF-4D91A140E0E0&displaylang=en
Microsoft Windows 2000 Datacenter Server SP2:
Microsoft Patch Q810833_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=33FF827A-D5DB-4F92-9DEF-4D91A140E0E0&displaylang=en
Microsoft Windows 2000 Datacenter Server SP1:
Microsoft Windows 2000 Datacenter Server :
Microsoft Windows 2000 Professional SP3:
Microsoft Patch Q810833_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=33FF827A-D5DB-4F92-9DEF-4D91A140E0E0&displaylang=en
Microsoft Windows 2000 Professional SP2:
Microsoft Patch Q810833_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=33FF827A-D5DB-4F92-9DEF-4D91A140E0E0&displaylang=en
Microsoft Windows 2000 Professional SP1:
Microsoft Windows 2000 Professional :
Microsoft Windows 2000 Server SP3:
Microsoft Patch Q810833_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=33FF827A-D5DB-4F92-9DEF-4D91A140E0E0&displaylang=en
Microsoft Windows 2000 Server SP2:
Microsoft Patch Q810833_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=33FF827A-D5DB-4F92-9DEF-4D91A140E0E0&displaylang=en
Microsoft Windows 2000 Server SP1:
Microsoft Windows 2000 Server :
Microsoft Windows 2000 Server Japanese Edition :
Microsoft Patch Q810833_W2K_SP4_nec98_JA.exe
http://microsoft.com/downloads/details.aspx?FamilyId=1B142CF9-CADA-4DFF-B42D-7E2022A17E6A&displaylang=ja
Microsoft Windows 2000 Terminal Services SP3:
Microsoft Patch Q810833_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=33FF827A-D5DB-4F92-9DEF-4D91A140E0E0&displaylang=en
Microsoft Windows 2000 Terminal Services SP2:
Microsoft Patch Q810833_W2K_SP4_X86_EN.exe
http://microsoft.com/downloads/details.aspx?FamilyId=33FF827A-D5DB-4F92-9DEF-4D91A140E0E0&displaylang=en
Microsoft Windows 2000 Terminal Services SP1:
Microsoft Windows 2000 Terminal Services :
Microsoft Windows NT Enterprise Server 4.0 SP6a:
Microsoft Patch Q810833i.EXE
http://microsoft.com/downloads/details.aspx?FamilyId=F92D1E86-590A-4DA5-93F2-FCC6300A1A43&displaylang=en
Microsoft Patch JPNQ810833n.EXE
http://microsoft.com/downloads/details.aspx?FamilyId=F211C932-D442-4A1A-B385-77975DE3B280&displaylang=ja
Microsoft Patch CHPQ810833i.EXE
http://microsoft.com/downloads/details.aspx?FamilyId=C8AAB17B-48B2-4E9F-B06F-2A54BA59A45F&displaylang=zh-tw
Microsoft Windows NT Enterprise Server 4.0 SP6:
Microsoft Windows NT Enterprise Server 4.0 SP5:
Microsoft Windows NT Enterprise Server 4.0 SP4:
Microsoft Windows NT Enterprise Server 4.0 SP3:
Microsoft Windows NT Enterprise Server 4.0 SP2:
Microsoft Windows NT Enterprise Server 4.0 SP1:
Microsoft Windows NT Enterprise Server 4.0:
Microsoft Windows NT Server 4.0 SP6a:
Microsoft Patch Q810833i.EXE
http://microsoft.com/downloads/details.aspx?FamilyId=F92D1E86-590A-4DA5-93F2-FCC6300A1A43&displaylang=en
Microsoft Patch JPNQ810833n.EXE
http://microsoft.com/downloads/details.aspx?FamilyId=F211C932-D442-4A1A-B385-77975DE3B280&displaylang=ja
Microsoft Patch CHPQ810833i.EXE
http://microsoft.com/downloads/details.aspx?FamilyId=C8AAB17B-48B2-4E9F-B06F-2A54BA59A45F&displaylang=zh-tw
Microsoft Windows NT Server 4.0 SP6:
Microsoft Windows NT Server 4.0 SP5:
Microsoft Windows NT Server 4.0 SP4:
Microsoft Windows NT Server 4.0 SP3:
Microsoft Windows NT Server 4.0 SP2:
Microsoft Windows NT Server 4.0 SP1:
Microsoft Windows NT Server 4.0:
Microsoft Windows NT Terminal Server 4.0 SP6a:
Microsoft Windows NT Terminal Server 4.0 SP6:
Microsoft Patch Q810833i.EXE
http://microsoft.com/downloads/details.aspx?FamilyId=EB651162-97F2-47F9-8E99-016B35B7646D&displaylang=en
Microsoft Windows NT Terminal Server 4.0 SP5:
Microsoft Windows NT Terminal Server 4.0 SP4:
Microsoft Windows NT Terminal Server 4.0 SP3:
Microsoft Windows NT Terminal Server 4.0 SP2:
Microsoft Windows NT Terminal Server 4.0 SP1:
Microsoft Windows NT Terminal Server 4.0:
Microsoft Windows NT Workstation 4.0 SP6a:
Microsoft Patch Q810833i.EXE
http://microsoft.com/downloads/details.aspx?FamilyId=F92D1E86-590A-4DA5-93F2-FCC6300A1A43&displaylang=en
Microsoft Patch JPNQ810833n.EXE
http://microsoft.com/downloads/details.aspx?FamilyId=F211C932-D442-4A1A-B385-77975DE3B280&displaylang=ja
Microsoft Patch CHPQ810833i.EXE
http://microsoft.com/downloads/details.aspx?FamilyId=C8AAB17B-48B2-4E9F-B06F-2A54BA59A45F&displaylang=zh-tw
Microsoft Windows NT Workstation 4.0 SP6:
Microsoft Windows NT Workstation 4.0 SP5:
Microsoft Windows NT Workstation 4.0 SP4:
Microsoft Windows NT Workstation 4.0 SP3:
Microsoft Windows NT Workstation 4.0 SP2:
Microsoft Windows NT Workstation 4.0 SP1:
Microsoft Windows NT Workstation 4.0:
Microsoft Windows XP 64-bit Edition SP1:
Microsoft Patch Q810833_WXP_SP2_ia64_ENU.exe
http://microsoft.com/downloads/details.aspx?FamilyId=B8999D16-3DAD-4E20-B46E-E1AEFB1F6673&displaylang=en
Microsoft Windows XP 64-bit Edition :
Microsoft Patch Q810833_WXP_SP2_ia64_ENU.exe
http://microsoft.com/downloads/details.aspx?FamilyId=B8999D16-3DAD-4E20-B46E-E1AEFB1F6673&displaylang=en
Microsoft Windows XP Home SP1:
Microsoft Patch Q810833_WXP_SP2_x86_ENU.exe
http://microsoft.com/downloads/details.aspx?FamilyId=DF24197E-6217-4ABD-A244-0A53320B2813&displaylang=en
Microsoft Windows XP Home :
Microsoft Patch Q810833_WXP_SP2_x86_ENU.exe
http://microsoft.com/downloads/details.aspx?FamilyId=DF24197E-6217-4ABD-A244-0A53320B2813&displaylang=en
Microsoft Windows XP Professional SP1:
Microsoft Patch Q810833_WXP_SP2_x86_ENU.exe
http://microsoft.com/downloads/details.aspx?FamilyId=DF24197E-6217-4ABD-A244-0A53320B2813&displaylang=en
Microsoft Windows XP Professional :
Microsoft Patch Q810833_WXP_SP2_x86_ENU.exe
http://microsoft.com/downloads/details.aspx?FamilyId=DF24197E-6217-4ABD-A244-0A53320B2813&displaylang=en
References
Source: CA-2003-03
URL: http://www.cert.org/advisories/CA-2003-03.html
Source: Microsoft Security Bulletin MS03-001
URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-001.asp
Credits
Discovery of this vulnerability credited to David Litchfield of Next Generation Security Software Ltd.
Copyright (c) 2003 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from symsecurity@symantec.com.
Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
| 
