copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2010.0759.2 - UPDATE [Win] Microsoft Windows: Execute arbitrary code/commands - Remote/unauthenticated

Date: 06 September 2010
References: ASB-2012.0029  
Related Files: ESB-2010.0759  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2010.0759.2
        Insecure Library Loading Could Allow Remote Code Execution
                             6 September 2010

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Microsoft Windows
Publisher:         Microsoft
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Mitigation

Original Bulletin: 
   http://www.microsoft.com/technet/security/advisory/2269637.mspx

Comment: Microsoft has now released a tool that allows system administrators 
         to mitigate the risk of this new attack vector by altering the library 
         loading behavior system-wide or for specific applications. A number of 
         workarounds have also been provided to help mitigate the risk of this 
         vulnerability.

Revision History:  September  6 2010: Added details regarding Microsoft 
                                      Knowledge Base Article 2264107 to provide 
                                      an automated Microsoft Fix it solution 
                                      for the workaround, Disable loading of 
                                      libraries from WebDAV and remote network 
                                      shares.
                   August    24 2010: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
Published: August 23, 2010
Version: 1.0

General Information

Executive Summary

Microsoft is aware that research has been published detailing a remote attack 
vector for a class of vulnerabilities that affects how applications load 
external libraries.

This issue is caused by specific insecure programming practices that allow 
so-called "binary planting" or "DLL preloading attacks". These practices could 
allow an attacker to remotely execute arbitrary code in the context of the user 
running the vulnerable application when the user opens a file from an untrusted 
location.

This issue is caused by applications passing an insufficiently qualified path 
when loading an external library. Microsoft has issued guidance to developers 
in the MSDN article, Dynamic-Link Library Security, on how to correctly use 
the available application programming interfaces to prevent this class of 
vulnerability. Microsoft is also actively reaching out to third-party vendors 
through the Microsoft Vulnerability Research Program to inform them of the 
mitigations available in the operating system. Microsoft is also actively 
investigating which of its own applications may be affected.

In addition to this guidance, Microsoft is releasing a tool that allows system 
administrators to mitigate the risk of this new attack vector by altering the 
library loading behavior system-wide or for specific applications. This 
advisory describes the functionality of this tool and other actions that 
customers can take to help protect their systems.

Mitigating Factors:
	
 * This issue only affects applications that do not load external libraries 
 securely. Microsoft has previously published guidelines for developers in the 
 MSDN article, Dynamic-Link Library Security, that recommend alternate methods 
 to load libraries that are safe against these attacks.
	
 * For an attack to be successful, a user must visit an untrusted remote file 
 system location or WebDAV share and open a document from this location that 
 is then loaded by a vulnerable application.
	
 * The file sharing protocol SMB is often disabled on the perimeter firewall. 
 This limits the possible attack vectors for this vulnerability.



Affected and Non-Affected Software

 Microsoft is investigating whether any of its own applications are affected 
 by insecure library loading vulnerabilities and will take appropriate action 
 to protect its customers.


Workarounds

 Workaround refers to a setting or configuration change that does not correct 
 the underlying issue but would help block known attack vectors before a 
 security update is available. Microsoft has tested the following workarounds 
 and states in the discussion whether a workaround reduces functionality:


 Disable loading of libraries from WebDAV and remote network shares

   Note This workaround requires installation of the tool described in 
   Microsoft Knowledge Base Article 2264107.

   Microsoft has released a tool which allows customers to disable the loading 
   of libraries from remote network or WebDAV shares. This tool can be 
   configured to disallow insecure loading on a per-application or a global 
   system basis.

   Customers who are informed by their vendor of an application being 
   vulnerable can use this tool to help protect against attempts to exploit 
   this issue.

   Note See Microsoft Knowledge Base Article 2264107 to use the automated 
   Microsoft Fix it solution to deploy the registry key to block loading of 
   libraries for SMB and WebDAV shares. Note that this Fix it solution does 
   require you to install the workaround tool also described in Microsoft 
   Knowledge Base Article 2264107 first. This Fix it solution only deploys the 
   registry key and requires the workaround tool in order to be effective. We 
   recommend that administrators review the KB article closely prior to 
   deploying this Fix it solution.

 Disable the WebClient service

   Disabling the WebClient service helps protect affected systems from 
   attempts to exploit this vulnerability by blocking the most likely remote 
   attack vector through the Web Distributed Authoring and Versioning (WebDAV) 
   client service. After applying this workaround it is still possible for 
   remote attackers who successfully exploit this vulnerability to cause 
   Microsoft Office Outlook to run programs located on the targeted user's 
   computer or the Local Area Network (LAN), but users will be prompted for 
   confirmation before opening arbitrary programs from the Internet.

   To disable the WebClient Service, follow these steps:

   1. Click Start, click Run, type Services.msc and then click OK.

   2. Right-click WebClient service and select Properties.

   3. Change the Startup type to Disabled. If the service is running, click 
      Stop.

   4. Click OK and exit the management application.

   Impact of workaround. When the WebClient service is disabled, Web 
   Distributed Authoring and Versioning (WebDAV) requests are not transmitted. 
   In addition, any services that explicitly depend on the Web Client service 
   will not start, and an error message will be logged in the System log. For 
   example, WebDAV shares will be inaccessible from the client computer.

   How to undo the workaround.

   To re-enable the WebClient Service, follow these steps:

   1. Click Start, click Run, type Services.msc and then click OK.

   2. Right-click WebClient service and select Properties.

   3. Change the Startup type to Automatic. If the service is not running, 
      click Start.

   4. Click OK and exit the management application.

 
 Block TCP ports 139 and 445 at the firewall

   These ports are used to initiate a connection with the affected component. 
   Blocking TCP ports 139 and 445 at the firewall will help protect systems 
   that are behind that firewall from attempts to exploit this vulnerability. 
   Microsoft recommends that you block all unsolicited inbound communication 
   from the Internet to help prevent attacks that may use other ports. For 
   more information about ports, see the TechNet article, TCP and UDP Port 
   Assignments.

   Impact of workaround. Several Windows services use the affected ports. 
   Blocking connectivity to the ports may cause various applications or 
   services to not function. Some of the applications or services that could 
   be impacted are listed below:
	
    Applications that use SMB (CIFS)
    Applications that use mailslots or named pipes (RPC over SMB)
    Server (File and Print Sharing)
    Group Policy
    Net Logon
    Distributed File System (DFS)
    Terminal Server Licensing
    Print Spooler
    Computer Browser
    Remote Procedure Call Locator
    Fax Service
    Indexing Service
    Performance Logs and Alerts
    Systems Management Server
    License Logging Service

   How to undo the workaround. Unblock TCP ports 139 and 445 at the firewall. 
   For more information about ports, see TCP and UDP Port Assignments.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFMhDLN/iFOrG6YcBERApbbAJ4ygoaXP+zH9OfO3Jd46aVCwHHBQACgigW7
jlts4kace3V8+CDCcKQaCOw=
=J2qG
-----END PGP SIGNATURE-----