Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Vulnerability Alert

Microsoft Windows Routing and Remote Access Memory Corruption Vulnerability

 
Threat Type:CWE-119: Buffer Errors
IntelliShield ID:11104
Version:6
First Published:2006 June 13 19:46 GMT
Last Published:2006 June 29 19:13 GMT
Port: 135, 137, 138, 139, 445, 593
CVE:CVE-2006-2370
BugTraq ID:18325
Urgency:Unlikely Use
Credibility:Confirmed
Severity:Moderate Damage
Related Resources:
View related IPS Signature
 
 
Version Summary:Microsoft has re-released MS06-025 with updated patches to address the issue some users may be experiencing when using dial-up connections that use a terminal window or dial-up scripting.
 
 
Description

Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with elevated privileges.

This vulnerability exists due to an unchecked buffer in the Routing and Remote Access service.  A remote attacker could exploit this vulnerability by sending a large, crafted message to a listening RPC port on an affected host.  An exploit may trigger a buffer overflow, potentially allowing the attacker to execute arbitrary code with Local System privileges.

Exploit code is available.

Microsoft confirmed this vulnerability in a security advisory and released software updates that correct it.

 
Warning Indicators

Systems running the following software are vulnerable:

  • Microsoft Windows 2000 SP4 or prior
  • Microsoft Windows XP SP2 or prior
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows Server 2003 SP1 or prior
  • Microsoft Windows Server 2003 for Itanium-based Systems SP1 or prior
  • Microsoft Windows Server 2003 x64 Edition
 
IntelliShield Analysis

To exploit this vulnerability, an attacker requires network access on any of several TCP or UDP ports typically blocked at network perimeters.  Additionally, attackers require user credentials on Windows XP SP2 and Windows Server 2003 to successfully connect and send messages to the Routing and Remote Access service.

Another possible exploit vector involves malicious software sent through e-mail or other messaging.  An exploit via this vector could allow the malicious software root access, even when executed by a user with limited privileges.  In this case, however, the attacker requires user interaction for successful exploitation.

The update available from Microsoft corrects this vulnerability by adding checks that validate RPC requests to the Routing and Remote Access service.

Customers installing this update are experiencing some problems as detailed in knowledge base article 911280.  An issue has been confirmed by Microsoft that involves dial-up connections that use a terminal window or dial-up scripting.  If dial-up scripting is used in a connection, the connection may fail to respond.  This is likely to affect direct-dial connections to a corporate network, a university network, or to certain ISPs. 

Administrators are advised to install the updated patches to resolve the issues users may be experiencing as detailed in knowledge base article 911280.

 
Vendor Announcements

Microsoft has re-released a security bulletin at the following link: MS06-025

Avaya has released a security advisory at the following link: ASA-2006-126

US-CERT has released a vulnerability note, a cyber security alert, and a technical cyber security alert at the following links: VU#631516, SA06-164A and TA06-164A

 
Impact

An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary code with?Local System?privileges.

 
Technical Information

This vulnerability exists due to an unchecked buffer in the Routing and Remote Access service.? By sending a large, crafted RPC request to a vulnerable system, an attacker can cause a buffer overflow that may allow for the execution of arbitrary code.? Any code execution runs with privileges of the Routing and Remote Access Service, which is Local System in most cases.

 
Safeguards

Administrators are advised to apply the applicable software updates.

Administrators are advised to block the following TCP and UDP ports at the network boundary and on host-based firewalls:? TCP ports 135, 139, 445, 593; UDP ports 135, 137, 138, and 445; and all ports above 1024.

Administrators may consider disabling the Routing and Remote Access service if not necessary.

 
Patches/Software

Microsoft has released patches at the following links:


Signatures
 
Cisco Intrusion Prevention System (IPS) 6.0
Signature IDSignature NameReleaseLatest Release Date
1128/0Microsoft RRAS Service OverflowS6442012 Apr 30 
3327/10Windows RPC DCOM OverflowS4272009 Aug 26 
3327/13Windows RPC DCOM OverflowS5552011 Mar 29 
5776/0Routing and Remote Access Service Code ExecutionS5542011 Mar 21 
5776/1Routing and Remote Access Service Code ExecutionS5542011 Mar 21 
5776/2Routing and Remote Access Service Code ExecutionS5542011 Mar 21 
5776/3Routing and Remote Access Service Code ExecutionS5542011 Mar 21 
5776/4Routing and Remote Access Service Code ExecutionS5542011 Mar 21 
5776/5Routing and Remote Access Service Code ExecutionS6442012 Apr 30 
5794/0Routing and Remote Access Service RASMAN Registry Stack OverflowS5532011 Mar 16 
5794/1Routing and Remote Access Service RASMAN Registry Stack OverflowS5532011 Mar 16 
5794/2Routing and Remote Access Service RASMAN Registry Stack OverflowS5532011 Mar 16 
 
Alert History
 

Version 5, June 22, 2006, 12:14 PM: Exploit code has been released as part of the Metasploit Framework for the routing and remote access memory corruption vulnerability in Microsoft Windows.

Version 4, June 21, 2006, 6:52 AM: Microsoft has re-released MS06-025 to address an issue some users may be experiencing when utilizing dial-up connections that use a terminal window or dial-up scripting.

Version 3, June 15, 2006, 12:52 PM: Avaya has released a security advisory to address the Microsoft Windows routing and remote access memory corruption vulnerability.

Version 2, June 15, 2006, 7:30 AM: US-CERT has released a vulnerability note, a cyber security alert, and a technical cyber security alert to address the Microsoft Windows routing and remote access memory corruption vulnerability.

Version 1, June 13, 2006, 3:46 PM: Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with elevated privileges.  Patches are available.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
Microsoft, Inc.Windows 2000 Advanced Server Base, SP1, SP2, SP3, SP4 | Professional Base, SP1, SP2, SP3, SP4 | Server Base, SP1, SP2, SP3, SP4
Microsoft, Inc.Windows Server 2003 Datacenter Edition Base, SP1 | Datacenter Edition, 64-bit (Itanium) Base, SP1 | Datacenter Edition x64 (AMD/EM64T) Base | Enterprise Edition Base, SP1 | Enterprise Edition, 64-bit (Itanium) Base, SP1 | Enterprise Edition x64 (AMD/EM64T) Base | Standard Edition Base, SP1 | Standard Edition, 64-bit (Itanium) Base, SP1 | Standard Edition x64 (AMD/EM64T) Base | Web Edition Base, SP1
Microsoft, Inc.Windows XP Home Edition Base, SP1, SP2 | Professional Edition Base, SP1, SP2 | Professional Edition, 64-bit (Itanium) Base, 2003 (itanium 2), SP1 | Professional x64 (AMD/EM64T) Base

Associated Products:
Avaya, Inc.Definity ONE Communications System 10.0 Base
Avaya, Inc.IP600 Internet Protocol Communications Server Original Release Base
Avaya, Inc.Modular Messaging 1.0 Base | 1.1 Base | 2.0 Base, .1, SP1, SP2, SP3, SP4 | 3.0 Base
Avaya, Inc.S3400 1.0 Base | 1.1 Base
Avaya, Inc.S8100 Media Server 1.2 Base | 1.3 Base, .1 | 2.0 Base, .1
Avaya, Inc.Unified Communication Center (UCC) 1.0 Base | 1.1 Base | 1.2 Base | 2.0 Base




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield