Title: Microsoft Windows Server Service Remote Buffer Overflow Vulnerability
Severity: CRITICAL
Description:
Microsoft Windows Server Service facilitates the sharing of local resources (including RPC support, files, printers, and named pipes) over the network.
Microsoft Windows Server Service is prone to a remote buffer-overflow vulnerability. This issue arises because the application fails to perform boundary checks before copying user-supplied data into sensitive process buffers.
Specifically, the vulnerability arises when the service processes a malicious message in RPC communications. A remote unauthenticated attacker can send a large message containing arbitrary code to overflow a finite-sized buffer and corrupt process memory.
A successful attack may result in arbitrary code execution with SYSTEM privileges leading to a full compromise. Attack attempts may result in denial-of-service conditions as well.
Microsoft has reported that this issue is being exploited in the wild.
Update (August 14, 2006): A worm named 'W32.Wargbot' that exploits this issue to spread is currently in the wild.
Affected Products:
- Avaya DefinityOne Media Servers
- Avaya IP600 Media Servers
- Avaya S3400 Message Application Server
- Avaya S8100 Media Servers
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP3
- Microsoft Windows 2000 Advanced Server SP4
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP3
- Microsoft Windows 2000 Datacenter Server SP4
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP4
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP3
- Microsoft Windows 2000 Server SP4
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows NT 4.0.0
- Microsoft Windows NT 4.0.0 SP1
- Microsoft Windows NT 4.0.0 SP2
- Microsoft Windows NT 4.0.0 SP3
- Microsoft Windows NT 4.0.0 SP4
- Microsoft Windows NT 4.0.0 SP5
- Microsoft Windows NT 4.0.0 SP6
- Microsoft Windows NT 4.0.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0.0
- Microsoft Windows NT Enterprise Server 4.0.0 SP1
- Microsoft Windows NT Enterprise Server 4.0.0 SP2
- Microsoft Windows NT Enterprise Server 4.0.0 SP3
- Microsoft Windows NT Enterprise Server 4.0.0 SP4
- Microsoft Windows NT Enterprise Server 4.0.0 SP5
- Microsoft Windows NT Enterprise Server 4.0.0 SP6
- Microsoft Windows NT Enterprise Server 4.0.0 SP6a
- Microsoft Windows NT Server 4.0.0
- Microsoft Windows NT Server 4.0.0 SP1
- Microsoft Windows NT Server 4.0.0 SP2
- Microsoft Windows NT Server 4.0.0 SP3
- Microsoft Windows NT Server 4.0.0 SP4
- Microsoft Windows NT Server 4.0.0 SP5
- Microsoft Windows NT Server 4.0.0 SP6
- Microsoft Windows NT Server 4.0.0 SP6a
- Microsoft Windows NT Terminal Server 4.0.0
- Microsoft Windows NT Terminal Server 4.0.0 SP1
- Microsoft Windows NT Terminal Server 4.0.0 SP2
- Microsoft Windows NT Terminal Server 4.0.0 SP3
- Microsoft Windows NT Terminal Server 4.0.0 SP4
- Microsoft Windows NT Terminal Server 4.0.0 SP5
- Microsoft Windows NT Terminal Server 4.0.0 SP6
- Microsoft Windows NT Terminal Server 4.0.0 SP6a
- Microsoft Windows NT Terminal Server 4.0.0 SP6a
- Microsoft Windows NT Workstation 4.0.0
- Microsoft Windows NT Workstation 4.0.0 SP1
- Microsoft Windows NT Workstation 4.0.0 SP2
- Microsoft Windows NT Workstation 4.0.0 SP3
- Microsoft Windows NT Workstation 4.0.0 SP4
- Microsoft Windows NT Workstation 4.0.0 SP5
- Microsoft Windows NT Workstation 4.0.0 SP6
- Microsoft Windows NT Workstation 4.0.0 SP6a
- Microsoft Windows Server 2003 Datacenter Edition
- Microsoft Windows Server 2003 Datacenter Edition Itanium
- Microsoft Windows Server 2003 Datacenter Edition Itanium SP1
- Microsoft Windows Server 2003 Datacenter Edition SP1
- Microsoft Windows Server 2003 Datacenter x64 Edition
- Microsoft Windows Server 2003 Enterprise Edition
- Microsoft Windows Server 2003 Enterprise Edition Itanium
- Microsoft Windows Server 2003 Enterprise Edition Itanium SP1
- Microsoft Windows Server 2003 Enterprise Edition SP1
- Microsoft Windows Server 2003 Enterprise x64 Edition
- Microsoft Windows Server 2003 Standard Edition
- Microsoft Windows Server 2003 Standard Edition SP1
- Microsoft Windows Server 2003 Standard x64 Edition
- Microsoft Windows Server 2003 Web Edition
- Microsoft Windows Server 2003 Web Edition SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home SP2
- Microsoft Windows XP Media Center Edition
- Microsoft Windows XP Media Center Edition SP1
- Microsoft Windows XP Media Center Edition SP2
- Microsoft Windows XP Professional
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional SP2
- Microsoft Windows XP Professional x64 Edition
- Microsoft Windows XP Tablet PC Edition
- Microsoft Windows XP Tablet PC Edition SP1
- Microsoft Windows XP Tablet PC Edition SP2
References:
- SANS: *MS06-040 exploit in the wild (NEW)
- CNet News: CNet News: Microsoft fixes faulty security patch
- Cisco: Cisco Security Response: Mitigating Exploitation of the MS06-040 Service Buffer
- SANS: Handler's Diary August 31st 2006
- Microsoft: Microsoft Security Bulletin MS06-040
- Microsoft: Microsoft Security Bulletin MS06-040 Updated
- Microsoft: Microsoft Security Bulletin MS06-040 Updated Aug 17
- MSRCTEAM: Monday Update on Graweg
- Immunity: Proof of concept for MS06-040 vulnerability
- eEye: Retina MS06-040 NetApi32 Scanner
- US-CERT: Vulnerability Note VU#650769 - Microsoft Windows Server service buffer overflow
- Symantec: W32.Wargbot
- Jerome Athias <jerome.athias@free.fr>: [framework] MS06-040 : tests OK