| VID |
26064 |
| Severity |
40 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The hotfix(KB828035) for the 'Buffer Overflow in Messenger Service' has not been applied. The "Messenger Service" is enabled by default on all Windows NT, Windows 2000, and Windows XP desktops and servers. The Microsoft Messenger Service is unrelated to Microsoft MSN Messenger. The vulnerability results because the Messenger Service does not properly validate the length of a message before passing it to the allocated buffer. A remote attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system, or could cause the Messenger Service to fail.
Similarly to the MS-RPC vulnerability (as described in Microsoft Security Bulletin MS03-026), the Messenger Service is also reachable via MS-RPC (Microsoft Remote Procedure Call). Vulnerabilities of this nature have led to Internet worms such as "MS Blast/Blaster", "Nachi", and "SQL Slammer".
* Note: This check requires an account with Guest or upper privileges which can access the registry of the remote host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://www.microsoft.com/technet/security/bulletin/ms03-043.asp
http://xforce.iss.net/xforce/alerts/id/156
* Platforms Affected:
Microsoft Windows NT Workstation 4.0, Service Pack 6a
Microsoft Windows NT Server 4.0, Service Pack 6a
Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6
Microsoft Windows 2000, Service Pack 2
Microsoft Windows 2000, Service Pack 3, Service Pack 4
Microsoft Windows XP Gold, Service Pack 1
Microsoft Windows XP 64-bit Edition
Microsoft Windows XP 64-bit Edition Version 2003
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-bit Edition |
| Recommendation |
Disable the Messenger Service, if it is not required. To disable the Messenger Service, follow the instructions below:
1. Navigate to the "Start" Menu, and then to the "Control Panel".
2. Depending on system type and configuration, navigate either to the "Performance and Maintenance" menu, or the "Administrative Tools" menu.
3. Navigate to the "System" menu.
4. Click on the "Services" icon.
5. Windows will present a list of system services. Scroll down to the service named "Messenger". Right-click on this service and select "Properties" from the popup menu.
6. Use to dialog box next to "Startup Type", select "Disabled".
7. Under the "Service Status" sub-menu click the button labeled, "Stop".
8. Click the "Apply" and "Ok" buttons. The service has now been stopped and disabled.
-- OR --
Apply the appropriate patch for your system, as listed in Microsoft's security bulletin MS03-043 at http://www.microsoft.com/technet/security/bulletin/ms03-043.asp
1. Open the following page to download the patch:
For Microsoft Windows NT Workstation 4.0, Service Pack 6a:
http://www.microsoft.com/downloads/details.aspx?FamilyId=7597FCF4-6615-4074-9E46-A17D808ED38D
For Microsoft Windows NT Server 4.0, Service Pack 6a:
http://www.microsoft.com/downloads/details.aspx?FamilyId=B1949456-996A-485A-9A28-79FD79F26A1B
For Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6:
http://www.microsoft.com/downloads/details.aspx?FamilyId=64AB4B66-1A6E-4264-93A8-26CDB98B05A8
For Microsoft Windows 2000, Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?FamilyId=A0061377-1683-4C13-9527-5534F6C7CF85
For Microsoft Windows 2000, Service Pack 3, Service Pack 4:
http://www.microsoft.com/downloads/details.aspx?FamilyId=99F1B40D-906A-4945-A021-4B494CCCBDE0
For Microsoft Windows XP Gold, Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?FamilyId=F02DA309-4B0A-4438-A0B9-5B67414C3833
For Microsoft Windows XP 64-bit Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=2BE95254-4C65-4CA5-80A5-55FDF5AA2296
For Microsoft Windows XP 64-bit Edition Version 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyId=8B990946-84C8-4C91-899C-5A44EC13174E
For Microsoft Windows Server 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyId=1DF106F3-7EC4-4EB0-9143-C1E3C9E2F5F8
For Microsoft Windows Server 2003 64-bit Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=8B990946-84C8-4C91-899C-5A44EC13174E
2. Select a different language from the drop-down list and click <Go> button.
3. Click <Download> button to download this patch file.
4. Run this file to install the patch.
5. Restart your system to complete the installation.
-- OR --
Patches for Windows platforms are also available from the Microsoft Windows Update Web site, http://windowsupdate.microsoft.com .
Windows Update detects what version of Windows you are running and offers the appropriate patch.
The following are the typical Microsoft networking ports. All of these should be blocked as strictly as possible within firewalls (including personal firewalls):
135/tcp MS-RPC connection-oriented
135/udp MS-RPC datagrams
137/udp NetBIOS name resolution
138/udp NetBIOS/SMB datagrams
139/tcp NetBIOS/SMB connection-oriented
445/tcp SMB connection-oriented
445/udp SMB datagrams |
| Related URL |
CVE-2003-0717 (CVE) |
| Related URL |
8826 (SecurityFocus) |
| Related URL |
13412 (ISS) |
|
