WINS memory pointer hijack
| wins-memory-pointer-hijack (18259) |  High Risk |
Description:
Microsoft Windows is vulnerable to a buffer overflow that could allow a remote attacker to hijack a memory pointer and execute arbitrary code. The Windows Internet Name Service (WINS) provides a distributed database for registering and querying dynamic NetBIOS names to IP address mappings in a routed network. WINS contains a feature, called WINS replication, used to transfer information about computers on participating networks. A memory pointer is sent from the server to the client during WINS replication. A remote attacker could send a specially-crafted packet, to hijack the memory pointer and overflow a buffer, allowing the attacker to execute arbitrary code on the system.
Platforms Affected:
- Microsoft, Windows 2000 Advanced Server
- Microsoft, Windows 2003 Server
- Microsoft, Windows NT 4.0 Server
- Microsoft, Windows NT 4.0 Terminal Server
Remedy:
For vulnerability detection:
Enable the following checks in the ISS Protection platform:
WinMskb870763Update
Enable the following checks in the Dynamic ISS Protection platform:
WINS_PointerHijack
For Manual Protection:
Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.
— OR —
Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.
As a workaround, block TCP port 42 and UDP port 42 at the firewall, or remove WINS if it is not needed. Refer to Microsoft Knowledge Base Article - 890710 for more information. See References.
Consequences:
Gain Access
References:
- Microsoft Corporation Web site, Windows Internet Name Service (WINS) at http://www.microsoft.com/ntserver/techresources/commnet/WINS/WINSwp98/WINS02-12.asp.
- Microsoft Knowledge Base Article 890710, How to help protect against a WINS security issue at http://support.microsoft.com/kb/890710.
- Microsoft Security Bulletin MS04-045, Vulnerability in WINS Could Allow Remote Code Execution (870763) at http://www.microsoft.com/technet/security/bulletin/ms04-045.mspx.
- Microsoft Security Bulletin MS08-034, Vulnerability in WINS Could Allow Elevation of Privilege (948745) at http://www.microsoft.com/technet/security/Bulletin/MS08-034.mspx.
- BID-11763: Microsoft Windows WINS Association Context Data Remote Memory Corruption Vulnerability
- CVE-2004-1080: The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the Association Context Vulnerability.
- OSVDB ID: 12378: Microsoft Windows WINS Association Context Validation Remote Code Execution
- SA13328: Microsoft Windows WINS Replication Packet Handling Vulnerability
- SECTRACK ID: 1012516: (Vendor Issues Fix) Microsoft WINS Memory Overwrite Lets Remote Users Execute Arbitary Code
- US-CERT VU#145134: Microsoft Windows Internet Naming Service (WINS) replication protocol contains a heap-based buffer overflow
Reported:
Nov 26, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net