| VID |
28063 |
| Severity |
40 |
| Port |
135 |
| Protocol |
UDP |
| Class |
SMB |
| Detailed Description |
The Windows Messenger Service is vulnerable to a buffer overflow attack. The "Messenger Service" is enabled by default on all Windows NT, Windows 2000, and Windows XP desktops and servers. The vulnerability results because the Messenger Service does not properly validate the length of a message before passing it to the allocated buffer. A remote attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system, or could cause the Messenger Service to fail.
Similarly to the MS-RPC vulnerability (as described in Microsoft Security Bulletin MS03-026), the Messenger Service is also reachable via MS-RPC (Microsoft Remote Procedure Call). Vulnerabilities of this nature have led to Internet worms such as "MS Blast/Blaster", "Nachi", and "SQL Slammer".
* References:
http://www.microsoft.com/technet/security/bulletin/ms03-043.asp
http://xforce.iss.net/xforce/alerts/id/156
http://www.kb.cert.org/vuls/id/575892
* Platforms Affected:
Windows NT Any version
Windows 2000 Any version
Windows XP Any version
Windows 2003 Server |
| Recommendation |
Disable the Messenger Service, if it is not required. To disable the Messenger Service, follow the instructions below:
1. Navigate to the "Start" Menu, and then to the "Control Panel".
2. Depending on system type and configuration, navigate either to the "Performance and Maintenance" menu, or the "Administrative Tools" menu.
3. Navigate to the "System" menu.
4. Click on the "Services" icon.
5. Windows will present a list of system services. Scroll down to the service named "Messenger". Right-click on this service and select "Properties" from the popup menu.
6. Use to dialog box next to "Startup Type", select "Disabled".
7. Under the "Service Status" sub-menu click the button labeled, "Stop".
8. Click the "Apply" and "Ok" buttons. The service has now been stopped and disabled.
-- OR --
Apply the appropriate patch for your system, as listed in Microsoft's security bulletin MS03-043 at http://www.microsoft.com/technet/security/bulletin/ms03-043.asp
-- OR --
Patches for Windows platforms are also available from the Microsoft Windows Update Web site, http://windowsupdate.microsoft.com . Windows Update detects what version of Windows you are running and offers the appropriate patch.
The following are the typical Microsoft networking ports. All of these should be blocked as strictly as possible within firewalls (including personal firewalls):
135/tcp MS-RPC connection-oriented
135/udp MS-RPC datagrams
137/udp NetBIOS name resolution
138/udp NetBIOS/SMB datagrams
139/tcp NetBIOS/SMB connection-oriented
445/tcp SMB connection-oriented
445/udp SMB datagrams |
| Related URL |
CVE-2010-2745 (CVE) |
| Related URL |
43772 (SecurityFocus) |
| Related URL |
(ISS) |
|
