J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1537
    posted: 11/06/09
  • NSM Daily Update #1537
    posted: 11/06/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1537
    posted: 11/06/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/06/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/05/09

Title: Microsoft Windows WINS Association Context Data Remote Memory Corruption Vulnerability

Severity: CRITICAL

Description:

The Microsoft Windows Internet Name Service (WINS) allows the mapping of NetBIOS names to IP addresses and vice-versa. WINS servers can allow users to browse for local resources on the network using computer names.

It is reported that the WINS replication protocol contains a vulnerability that when exploited will result in memory corruption. The issue exists due to a protocol design flaw that allows a remote user to specify the location of an association context structure in memory.

During WINS replication a client system may transmit a malicious packet to a WINS server. The WINS replication packet may contain the following values: The size of a chunk of memory allocated in the heap to store the packet data, a DWORD value that is required to trigger the vulnerability, and a DWORD pointer to an association context data structure. All of the aforementioned values may be controlled by an attacker.

Because the attacker may control the location of the association context data structure, this vulnerability may be exploited to corrupt process memory. This is because the contents of the data structure are employed by the WINS process as source value and location address data for memory write operations. The attacker may specify the location of an attacker-supplied structure in process memory resulting in a 16 byte write to an arbitrary attacker-specified location.

This issue could potentially be exploited remotely by a WINS client to execute arbitrary code with SYSTEM level privileges on a target WINS server. The service may be exposed via TCP/UDP port 42 by default, but the vendor has stated that other attack vectors may exist though none are known at this time.

The WINS service is not installed by default on most Microsoft Windows platforms.

** UPDATE: The WINS service is installed and enabled by default on Microsoft Small Business Server 2000/2003. However, the ports used for the service are reportedly not remotely accessible by default on Small Business Server.

Affected Products:

  • Avaya DefinityOne Media Servers
  • Avaya IP600 Media Servers
  • Avaya S3400 Message Application Server
  • Avaya S8100 Media Servers
  • Microsoft Small Business Server 2000
  • Microsoft Small Business Server 2003
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows 2000 Advanced Server SP3
  • Microsoft Windows 2000 Advanced Server SP4
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Datacenter Server SP1
  • Microsoft Windows 2000 Datacenter Server SP2
  • Microsoft Windows 2000 Datacenter Server SP3
  • Microsoft Windows 2000 Datacenter Server SP4
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Professional SP1
  • Microsoft Windows 2000 Professional SP2
  • Microsoft Windows 2000 Professional SP3
  • Microsoft Windows 2000 Professional SP4
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Server SP3
  • Microsoft Windows 2000 Server SP4
  • Microsoft Windows 2000 Terminal Services
  • Microsoft Windows 2000 Terminal Services SP1
  • Microsoft Windows 2000 Terminal Services SP2
  • Microsoft Windows NT Enterprise Server 4.0
  • Microsoft Windows NT Enterprise Server 4.0 SP1
  • Microsoft Windows NT Enterprise Server 4.0 SP2
  • Microsoft Windows NT Enterprise Server 4.0 SP3
  • Microsoft Windows NT Enterprise Server 4.0 SP4
  • Microsoft Windows NT Enterprise Server 4.0 SP5
  • Microsoft Windows NT Enterprise Server 4.0 SP6
  • Microsoft Windows NT Enterprise Server 4.0 SP6a
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Server 4.0 SP1
  • Microsoft Windows NT Server 4.0 SP2
  • Microsoft Windows NT Server 4.0 SP3
  • Microsoft Windows NT Server 4.0 SP4
  • Microsoft Windows NT Server 4.0 SP5
  • Microsoft Windows NT Server 4.0 SP6
  • Microsoft Windows NT Server 4.0 SP6a
  • Microsoft Windows NT Terminal Server 4.0
  • Microsoft Windows NT Terminal Server 4.0 SP1
  • Microsoft Windows NT Terminal Server 4.0 SP2
  • Microsoft Windows NT Terminal Server 4.0 SP3
  • Microsoft Windows NT Terminal Server 4.0 SP4
  • Microsoft Windows NT Terminal Server 4.0 SP5
  • Microsoft Windows NT Terminal Server 4.0 SP6
  • Microsoft Windows NT Terminal Server 4.0 SP6a
  • Microsoft Windows Server 2003 Datacenter Edition
  • Microsoft Windows Server 2003 Datacenter Edition Itanium
  • Microsoft Windows Server 2003 Enterprise Edition
  • Microsoft Windows Server 2003 Enterprise Edition Itanium
  • Microsoft Windows Server 2003 Standard Edition
  • Microsoft Windows Server 2003 Web Edition

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.