WINS memory pointer hijack

wins-memory-pointer-hijack (18259) The risk level is classified as HighHigh Risk

Description:

Microsoft Windows is vulnerable to a buffer overflow that could allow a remote attacker to hijack a memory pointer and execute arbitrary code. The Windows Internet Name Service (WINS) provides a distributed database for registering and querying dynamic NetBIOS names to IP address mappings in a routed network. WINS contains a feature, called WINS replication, used to transfer information about computers on participating networks. A memory pointer is sent from the server to the client during WINS replication. A remote attacker could send a specially-crafted packet, to hijack the memory pointer and overflow a buffer, allowing the attacker to execute arbitrary code on the system.


Consequences:

Gain Access

Remedy:

For vulnerability detection:

Enable the following checks in the ISS Protection platform:
WinMskb870763Update

For Virtual Patch:

Enable the following checks in the Dynamic ISS Protection platform:
WINS_PointerHijack

For Manual Protection:

Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.

— OR —

Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.

As a workaround, block TCP port 42 and UDP port 42 at the firewall, or remove WINS if it is not needed. Refer to Microsoft Knowledge Base Article - 890710 for more information. See References.

References:

  • Microsoft Corporation Web site: Windows Internet Name Service (WINS).
  • Microsoft Knowledge Base Article 890710: How to help protect against a WINS security issue.
  • Microsoft Security Bulletin MS04-045: Vulnerability in WINS Could Allow Remote Code Execution (870763).
  • Microsoft Security Bulletin MS08-034: Vulnerability in WINS Could Allow Elevation of Privilege (948745).
  • Microsoft Security Bulletin MS09-008: Vulnerabilities in DNS and WINS server could allow Spoofing (962238).
  • BID-11763: Microsoft Windows WINS Association Context Data Remote Memory Corruption Vulnerability
  • CVE-2004-1080: The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the Association Context Vulnerability.
  • OSVDB ID: 12378: Microsoft Windows WINS Association Context Validation Remote Code Execution
  • SA13328: Microsoft Windows WINS Replication Packet Handling Vulnerability
  • SECTRACK ID: 1012516: (Vendor Issues Fix) Microsoft WINS Memory Overwrite Lets Remote Users Execute Arbitary Code
  • US-CERT VU#145134: Microsoft Windows Internet Naming Service (WINS) replication protocol contains a heap-based buffer overflow

Platforms Affected:

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2003 Server
  • Microsoft Windows NT 4.0 Terminal Server
  • Microsoft Windows NT 4.0 Server

Reported:

Nov 26, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page