Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13790
HistoryAug 08, 2006 - 12:00 a.m.

Microsoft Security Bulletin MS06-041 Vulnerability in DNS Resolution Could Allow Remote Code Execution (920683)

2006-08-0800:00:00
vulners.com
24

Microsoft Security Bulletin MS06-041
Vulnerability in DNS Resolution Could Allow Remote Code Execution (920683)
Published: August 8, 2006

Version: 1.0
Summary

Who Should Read this Document: Customers who use Microsoft Windows

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately

Security Update Replacement: None

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software:

Microsoft Windows 2000 Service Pack 4 — Download the update

Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 — Download the update

Microsoft Windows XP Professional x64 Edition — Download the update

Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 — Download the update

Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems — Download the update

Microsoft Windows Server 2003 x64 Edition — Download the update

The software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.

Note The security updates for Microsoft Windows Server 2003, Windows Server 2003 Service Pack 1, and Windows Server 2003 x64 Edition also apply to Windows Server 2003 R2.
Top of sectionTop of section
General Information

Executive Summary

Executive Summary:

This update resolves several newly discovered, privately reported, vulnerabilities.

An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

We recommend that customers apply this update immediately.

Severity Ratings and Vulnerability Identifiers:
Vulnerability Identifiers Impact of Vulnerability Windows 2000 Windows XP Service Pack 1 Windows XP Service Pack 2 Windows Server 2003 Windows Server 2003 Service Pack 1

Winsock Hostname Vulnerability - CVE-2006-3440

Remote Code Execution

Critical

Critical

Critical

Critical

Critical

DNS Client Buffer Overrun Vulnerability - CVE-2006-3441

Remote Code Execution

Critical

Critical

Critical

Critical

Critical

Aggregate Severity of All Vulnerabilities

Critical

Critical

Critical

Critical

Critical

This assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Note The security updates for Windows Server 2003, Windows Server 2003 Service Pack 1, and Windows Server 2003 x64 Edition also apply to Windows Server 2003 R2.

Note The severity ratings for non-x86 operating system versions map to the x86 operating systems versions as follows:

The Windows XP Professional x64 Edition severity rating is the same as the Windows Server 2003 Service Pack 1 severity rating.

The Windows Server 2003 for Itanium-based Systems severity rating is the same as the Windows Server 2003 severity rating.

The Windows Server 2003 with SP1 for Itanium-based Systems severity rating is the same as the Windows Server 2003 Service Pack 1 severity rating.

The Windows Server 2003 x64 Edition severity rating is the same as the Windows Server 2003 Service Pack 1 severity rating.
Top of sectionTop of section

Frequently Asked Questions (FAQ) Related to This Security Update

Why does this update address several reported security vulnerabilities?
This update addresses several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that are almost the same, customers can install only this update.

Extended security update support for Microsoft Windows 98, Windows 98 Second Edition, or Windows Millennium Edition ended on July 11, 2006. I am still using one of these operating systems; what should I do?
Windows 98, Windows 98 Second Edition, and Windows Millennium Edition have reached the end of their support life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.

Extended security update support for Microsoft Windows NT Workstation 4.0 Service Pack 6a and Windows 2000 Service Pack 2 ended on June 30, 2004. Extended security update support for Microsoft Windows NT Server 4.0 Service Pack 6a ended on December 31, 2004. Extended security update support for Microsoft Windows 2000 Service Pack 3 ended on June 30, 2005. I am still using one of these operating systems; what should I do?
Windows NT Workstation 4.0 Service Pack 6a, Windows NT Server 4.0 Service Pack 6a, Windows 2000 Service Pack 2, and Windows 2000 Service Pack 3 have reached the end of their support life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.

Customers who require custom support for these products must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.

For more information, visit the Windows Operating System FAQ.
Product MBSA 1.2.1 MBSA 2.0

Microsoft Windows 2000 Service Pack 4

Yes

Yes

Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2

Yes

Yes

Microsoft Windows XP Professional x64 Edition

No

Yes

Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1

Yes

Yes

Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems

No

Yes

Microsoft Windows Server 2003 x64 Edition family

No

Yes

For more information about MBSA, visit the MBSA Web site. For more information about the programs that Microsoft Update and MBSA 2.0 currently do not detect, see Microsoft Knowledge Base Article 895660.

For more detailed information, see Microsoft Knowledge Base Article 910723.

Can I use Systems Management Server (SMS) to determine whether this update is required?
The following table provides the SMS detection summary for this security update.
Product SMS 2.0 SMS 2003

Microsoft Windows 2000 Service Pack 4

Yes

Yes

Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2

Yes

Yes

Microsoft Windows XP Professional x64 Edition

No

Yes

Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1

Yes

Yes

Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems

No

Yes

Microsoft Windows Server 2003 x64 Edition family

No

Yes

For more information about MBSA, visit the MBSA Web site. For more information about the programs that Microsoft Update and MBSA 2.0 currently do not detect, see Microsoft Knowledge Base Article 895660.

For more detailed information, see Microsoft Knowledge Base Article 910723.
Top of sectionTop of section

Vulnerability Details

Winsock Hostname Vulnerability - CVE-2006-3440:

There is a remote code execution vulnerability in Winsock that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. For an attack to be successful the attacker would have to force the user to open a file or visit a website that is specially crafted to call the affected Winsock API.

Mitigating Factors for Winsock Hostname Vulnerability - CVE-2006-3440:

The vulnerability could be exploited by an attacker who persuaded a user to open a specially crafted file or view a specially crafted website. There is no way for an attacker to force a user to open a specially crafted file, except potentially through previewing an e-mail message.
Top of sectionTop of section

Workarounds for Winsock Hostname Vulnerability - CVE-2006-3440:

Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Modify the Autodial DLL

Modifying the Autodial DLL within the Windows registry will prevent an application, specially crafted website or e-mail message from calling the affected API and exploiting the vulnerability. If the Autodial DLL registry value is not found by default in the specified location we recommend that customers create the REG_SZ value accordingly.

Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

Note We recommend backing up the registry before you edit

Click Start, click Run, type "regedt32 " (without the quotation marks), and then click OK

In Registry Editor, locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters

Double click the REG_SZ value AutodialDLL

Set the data value to kernel32.dll

Close the regedt32 utility and reboot
Top of sectionTop of section

FAQ for Winsock Hostname Vulnerability - CVE-2006-3440:

What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

What causes the vulnerability?
An unchecked buffer in the Winsock API.

What is Winsock?
Windows Sockets 2 (Winsock) enables programmers to create advanced Internet, intranet, and other network-capable applications to transmit application data across the wire, independent of the network protocol being used. With Winsock, programmers are provided access to advanced Microsoft® Windows® networking capabilities such as multicast and Quality of Service (QOS). For more information about Winsock, please see the following MSDN Article.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.

How could an attacker exploit the vulnerability?
The vulnerability could be exploited by an attacker who persuaded a user to open a specially crafted file or view a specially crafted website. There is no way for an attacker to force a user to open a specially crafted file, except potentially through previewing an e-mail message. Additionally, if an application uses the affected API it is possible that it could be exploited during regular usage scenarios that may not require user action.

What systems are primarily at risk from the vulnerability?
Servers and workstations are primarily at risk from this vulnerability.

What does the update do?
The update removes the vulnerability by modifying the way that the affected function validates the message before it passes the message to the allocated buffer.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
Top of sectionTop of section
Top of sectionTop of section

DNS Client Buffer Overrun Vulnerability - CVE-2006-3441:

There is a remote code execution vulnerability in the DNS Client service that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.

Mitigating Factors DNS Client Buffer Overrun Vulnerability - CVE-2006-3441:

For an attack to be successful the attacker would either have to be on a subnet between the host and the DNS server or force the target host to make a DNS request to receive a specially crafted record response from an attacking server.
Top of sectionTop of section

Workarounds for DNS Client Buffer Overrun Vulnerability - CVE-2006-3441:

Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

For an attack to be successful the attackers would either have to be on a subnet between the host and the DNS server or force the target host to make a DNS request to receive a specially crafted record response from an attacking server.

Block DNS related records at network gateways

Blocking the following DNS record types at network gateways will help protect the affected system from attempts to exploit this vulnerability.

ATMA

TXT

X25

HINFO

ISDN DNS
Top of sectionTop of section

FAQ DNS Client Buffer Overrun Vulnerability - CVE-2006-3441:

What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

What causes the vulnerability?
An unchecked buffer in the DNS client layer.

What is DNS?
The Domain Name System (DNS) client service resolves and caches DNS names. The DNS client service must be running on every computer that will perform DNS name resolution. The ability to resolve DNS names is crucial for locating domain controllers in Active Directory domains. The DNS client service is also critical for locating devices identified using DNS name resolution. For more information on the DNS client service please see the following Microsoft TechNet Article.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.

How could an attacker exploit the vulnerability?
An anonymous user could exploit the vulnerability by sending a specially crafted DNS communication to an affected client. For an attack to be successful the attacker would either have to be on a subnet between the host and the DNS server or force the target host to make a DNS request to receive a specially crafted record response from an attacking server.

What systems are primarily at risk from the vulnerability?
Servers and workstations are primarily at risk from this vulnerability.

What does the update do?
The update removes the vulnerability by validating the way that the DNS client handles DNS related communications.

Could the vulnerability be exploited over the Internet?
An attacker could try to exploit this vulnerability over the Internet. Firewall best practices and standard default firewall configurations can help protect against attacks that originate from the Internet. Microsoft has provided information about how you can help protect your PC. End users can visit the Protect Your PC Web site. IT professionals can visit the Security Guidance Center Web site.

What does the update do?
The update removes the vulnerability by validating the way that the DNS client handles DNS related communications.

Would disabling the DNS client service or configuring the client to use a specific DNS server mitigate the vulnerability?
No. The vulnerability cannot be mitigated by disabling the DNS client service or configuring the use of a specific trusted DNS server.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

Peter Winter Smith of NGS Software for reporting the Winsock Hostname Vulnerability - (CVE-2006-3440).

Mark Dowd of ISS X-Force for reporting the DNS Client Buffer Overrun Vulnerability - (CVE-2006-3441).

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

V1.0 (August 8, 2006): Bulletin published.

Related for SECURITYVULNS:DOC:13790