J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1545
    posted: 11/19/09
  • NSM Daily Update #1545
    posted: 11/19/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1545
    posted: 11/19/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/19/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/19/09

Title: Microsoft NNTP Component Heap Overflow Vulnerability

Severity: CRITICAL

Description:

The Microsoft Network News Transfer Protocol (NNTP) Component allows the distribution, retrieval and posting of news articles in compliance with RFC 977 and 2980.

The Microsoft NNTP Component could allow a remote user to execute arbitrary code in the context of the process accessing the vulnerable component.

This is due to improper bounds checking within the parser and query translator of the XPAT command in the NNTP Component. The XPAT command is used to retrieve specific headers within specified newsgroup articles based upon pattern matching on the contents of the headers. Specifically, the vulnerability exists in methods within the XPAT command that parse user-supplied ASCII values and translate them to 2-byte characters, storing them in an internal query buffer.

This buffer is allocated 4000 bytes by the NNTP service and tracks the number of words remaining using a global counter that initially has its value set to 2000. The problem exists because the counter is decremented for the number of words remaining in the query. Because of the way the counter is decremented, it is possible to cause the counter to wrap to a negative number to 0xFFFFFFFF or 0xFFFFFFFE, creating a controllable heap overflow.

This could allow the attacker to cause arbitrary code to be executed by the system. Such code would likely be executed with the privilege level of the application accessing the vulnerable component.

The NNTP Component is installed by default on Microsoft Exchange Server 2000 and 2003. It can be installed on Windows NT 4.0 Server, Windows 2000 Server, and Windows 2003 Server, but it is not present on these systems by default.

The NNTP Component may also be enabled on systems that do not use NNTP because some applications may require it to be enabled during installation.

It has been reported that the NNTP SEARCH IN command may also make the same vulnerable heap allocation call. This appears to have also been fixed by the Microsoft patch from MS04-036.

Affected Products:

  • Avaya DefinityOne Media Servers
  • Avaya IP600 Media Servers
  • Avaya Modular Messaging (MSS) 1.1.0
  • Avaya Modular Messaging (MSS) 2.0.0
  • Avaya S3400 Message Application Server
  • Avaya S8100 Media Servers
  • Microsoft Exchange Server 2000
  • Microsoft Exchange Server 2000 SP1
  • Microsoft Exchange Server 2000 SP2
  • Microsoft Exchange Server 2000 SP3
  • Microsoft Exchange Server 2003
  • Microsoft Exchange Server 2003 SP1
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows 2000 Advanced Server SP3
  • Microsoft Windows 2000 Advanced Server SP4
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Datacenter Server SP1
  • Microsoft Windows 2000 Datacenter Server SP2
  • Microsoft Windows 2000 Datacenter Server SP3
  • Microsoft Windows 2000 Datacenter Server SP4
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Server SP3
  • Microsoft Windows 2000 Server SP4
  • Microsoft Windows NT Enterprise Server 4.0
  • Microsoft Windows NT Enterprise Server 4.0 SP1
  • Microsoft Windows NT Enterprise Server 4.0 SP2
  • Microsoft Windows NT Enterprise Server 4.0 SP3
  • Microsoft Windows NT Enterprise Server 4.0 SP4
  • Microsoft Windows NT Enterprise Server 4.0 SP5
  • Microsoft Windows NT Enterprise Server 4.0 SP6
  • Microsoft Windows NT Enterprise Server 4.0 SP6a
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Server 4.0 SP1
  • Microsoft Windows NT Server 4.0 SP2
  • Microsoft Windows NT Server 4.0 SP3
  • Microsoft Windows NT Server 4.0 SP4
  • Microsoft Windows NT Server 4.0 SP5
  • Microsoft Windows NT Server 4.0 SP6
  • Microsoft Windows NT Server 4.0 SP6a
  • Microsoft Windows Server 2003 Datacenter Edition
  • Microsoft Windows Server 2003 Datacenter Edition Itanium
  • Microsoft Windows Server 2003 Enterprise Edition
  • Microsoft Windows Server 2003 Enterprise Edition Itanium
  • Microsoft Windows Server 2003 Standard Edition
  • Microsoft Windows Server 2003 Web Edition

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.