Computer Emergency Response Team - Industrie Services et Tertiaire
Vulnerability in the "Server" service on Microsoft Windows (MS08-067)

Reference: CERT-IST/AV-2008.460
Version: 2.1
Version date: 27 October 2008

Vulnerability Classification
Risk:
very-high
Impact: Take control
Vulnerability category: Buffer overflow
Confidence: Vendor-acknowledged
Attack expertise: Skilled
Attack requirements: Remote (no account) over a standard service

System Information
Affected Platform(s):
  • Windows 2000 SP4
  • Windows XP SP2 and SP3
  • Windows XP Professional x64 Edition and Windows XP Professional x64 Edition SP2
  • Windows Server 2003 SP1 and Windows Server 2003 SP2
  • Windows Server 2003 SP1 (Itanium) and Windows Server 2003 SP2 (Itanium)
  • Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition SP2
  • Windows Vista and Windows Vista SP1
  • Windows Vista X64 Edition and Windows Vista X64 Edition SP1
  • Windows Server 2008 for 32-bit, 64-bit and Itanium systems
Affected Software(s):
  • "Server" service (netapi32.dll)

Description
Publication context:
 [Version 2.0]: This advisory has been re-issued on October 24, 2008 following the release of the CERT-IST/DG-2008.009 potential danger and the increase of the risk level (from High to Very high). Workarounds and detection signatures have also been added. 
Problem description:
A vulnerability has been discovered in the handling of RPC requests by the "Server" service on Microsoft Windows systems. It allows a malicious remote person to take the full control of a vulnerable system.

 Note: 
  • According to Microsoft, this vulnerability is already exploited (targetted attacks) on the Internet.
  • On Windows Vista and Windows Server 2008, successful exploitation of this vulnerability requires the attacker to be authenticated.
Technical context:
The "Server" service provides RPC ("Remote Procedure Call") support, file print support (through SMB - "Server Message Block") and named pipe sharing over the network.

Windows services that use MS RPC may use SMB named pipes as the transport service for MS RPC calls.
Technical information:
The vulnerability is due to a buffer overflow during the handling of RPC requests by the "Server" service (netapi32.dll). It allows a remote attacker, by sending a specially crafted RPC request, to execute arbitrary code with the "SYSTEM" privileges.

Solution

01 - Apply the Microsoft patches (KB958644) regarding the Windows "Server" service vulnerability

    Patches are available for the various impacted platforms.

    See the Microsoft security bulletin MS08-067 to get the appropriate patch.

    The patches described in this Microsoft security bulletin replace the ones described in the MS06-040 bulletin (see the CERT-IST/AV-2006.315 advisory).

02 - Recommendations to mitigate the "Server" service vulnerability

  • Filter the TCP ports 139 and 445 on network devices located in the LAN boundary and/or near the vulnerable Microsoft Windows systems.

  • Keep the anti-virus software updated.

    • Note : A workaround could be to disable the "Server" service on vulnerable systems. However, this solution leads to some significant side-effects. For example:

    • you will be unable to share local resources (folders or printers),
    • you will be unable to be remotely managed by classical Microsoft tools.

03 - Tools and signatures to detect the flaw and its exploitation

    The following signatures enable to detect exploitations of this vulnerability (not exhaustive list).

Standard vulnerability IDs

Additional Resources

History
Version Comment Date
2.1 Nessus plugin (#34476) 27 October 2008
2.0 Risk level increase and addition of the temporary solutions 24 October 2008
1.0 Advisory creation 23 October 2008

Copyright © 1999-2005 Cert-IST. All rights reserved