| VID |
28098 |
| Severity |
40 |
| Port |
42 |
| Protocol |
TCP |
| Class |
WINS |
| Detailed Description |
The WINS replication service appears to be vulnerable to a remote code execution vulnerability.
The Windows Internet Naming Service (WINS) performs resolution of NetBIOS names to IP addresses, and reverse mapping of IP addresses to NetBIOS names. WINS has a feature called WINS replication, which supports the ability to replicate its database to other servers. WINS replication is done on TCP port 42 using a Microsoft proprietary protocol. As part of the replication protocol a pointer is sent from the replication host to the replication clients. An attacker can craft a packet that allows arbitrary memory corruption and leads to execution of memory of the attackers choosing by hijacking this pointer. A remote attacker could send a specially-crafted packet, to hijack the memory pointer and overflow a buffer, allowing the attacker to execute arbitrary code with SYSTEM level privileges on a target WINS server.
* References:
http://www.microsoft.com/technet/security/bulletin/ms04-045.mspx
http://www.immunitysec.com/downloads/instantanea.pdf
http://support.microsoft.com/kb/890710
http://www.coresecurity.com/products/coreimpact/nov25-2004.php
http://www.securityfocus.com/archive/1/382414
http://lists.immunitysec.com/pipermail/dailydave/2004-November/001193.html
http://xforce.iss.net/xforce/alerts/id/184
http://www.microsoft.com/ntserver/techresources/commnet/WINS/WINSwp98/WINS02-12.asp
* Platforms Affected:
Microsoft Windows NT Server 4.0 SP 6a
Microsoft Windows NT Server 4.0 Terminal Server Edition SP6
Microsoft Windows 2000 SP4 Server
Microsoft Windows Server 2003 |
| Recommendation |
Apply the appropriate patch for your system, as listed in the Microsoft Security Bulletin MS04-045 at http://www.microsoft.com/technet/security/bulletin/ms04-045.mspx
-- OR --
Patches for Windows platforms are also available from the Microsoft Windows Update Web site, http://windowsupdate.microsoft.com . Windows Update detects what version of Windows you are running and offers the appropriate patch.
As a workaround, disable the WINS service if it is not required. or block ports 42/TCP and 42/UDP at your network perimeter to limit exposure to this issue.
To remove WINS, refer to Microsoft Knowledge Base Article - 890710 at http://www.microsoft.com/ntserver/techresources/commnet/WINS/WINSwp98/WINS02-12.asp |
| Related URL |
CVE-2004-0567,CVE-2004-1080 (CVE) |
| Related URL |
11763,11922 (SecurityFocus) |
| Related URL |
18258,18259 (ISS) |
|
