Microsoft Windows Routing and Remote Access Memory Corruption Vulnerability
CWE-119: Buffer Errors
2006 June 13 19:46 GMT
2012 July 14 22:39 GMT
135, 137, 138, 139, 445, 593
Microsoft has re-released MS06-025 with updated patches to address the issue some users may be experiencing when using dial-up connections that use a terminal window or dial-up scripting.
Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with elevated privileges.
This vulnerability exists due to an unchecked buffer in the Routing and Remote Access service. A remote attacker could exploit this vulnerability by sending a large, crafted message to a listening RPC port on an affected host. An exploit may trigger a buffer overflow, potentially allowing the attacker to execute arbitrary code with Local System privileges.
Exploit code is available.
Microsoft confirmed this vulnerability in a security advisory and released software updates that correct it.
Systems running the following software are vulnerable:
Microsoft Windows 2000 SP4 or prior
Microsoft Windows XP SP2 or prior
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 SP1 or prior
Microsoft Windows Server 2003 for Itanium-based Systems SP1 or prior
Microsoft Windows Server 2003 x64 Edition
To exploit this vulnerability, an attacker requires network access on any of several TCP or UDP ports typically blocked at network perimeters. Additionally, attackers require user credentials on Windows XP SP2 and Windows Server 2003 to successfully connect and send messages to the Routing and Remote Access service.
Another possible exploit vector involves malicious software sent through e-mail or other messaging. An exploit via this vector could allow the malicious software root access, even when executed by a user with limited privileges. In this case, however, the attacker requires user interaction for successful exploitation.
The update available from Microsoft corrects this vulnerability by adding checks that validate RPC requests to the
Routing and Remote Access service.
Customers installing this update are experiencing some problems as detailed in knowledge base article 911280. An issue has been confirmed by Microsoft that involves dial-up connections that use a terminal window or dial-up scripting. If dial-up scripting is used in a connection, the connection may fail to respond. This is likely to affect direct-dial connections to a corporate network, a university network, or to certain ISPs.
Administrators are advised to install the updated patches to resolve the issues users may be experiencing as detailed in knowledge base article 911280.
Microsoft has re-released a security bulletin at the following link: MS06-025
Avaya has released a security advisory at the following link: ASA-2006-126
US-CERT has released a vulnerability note, a cyber security alert, and a technical cyber security alert at the following links: VU#631516, SA06-164A and TA06-164A
An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary code with?Local System?privileges.
This vulnerability exists due to an unchecked buffer in the Routing and Remote Access service.? By sending a large, crafted RPC request to a vulnerable system, an attacker can cause a buffer overflow that may allow for the execution of arbitrary code.? Any code execution runs with privileges of the Routing and Remote Access Service, which is Local System in most cases.
Administrators are advised to apply the applicable software updates.
Administrators are advised to block the following TCP and UDP ports at the network boundary and on host-based firewalls:? TCP ports 135, 139, 445, 593; UDP ports 135, 137, 138, and 445; and all ports above 1024.
Administrators may consider disabling the Routing and Remote Access service if not necessary.
Microsoft has released patches at the following links:
Version 5, June 22, 2006, 12:14 PM: Exploit code has been released as part of the Metasploit Framework for the routing and remote access memory corruption vulnerability in Microsoft Windows.
Version 4, June 21, 2006, 6:52 AM: Microsoft has re-released MS06-025 to address an issue some users may be experiencing when utilizing dial-up connections that use a terminal window or dial-up scripting.
Version 3, June 15, 2006, 12:52 PM: Avaya has released a security advisory to address the Microsoft Windows routing and remote access memory corruption vulnerability.
Version 2, June 15, 2006, 7:30 AM: US-CERT has released a vulnerability note, a cyber security alert, and a technical cyber
security alert to address the Microsoft Windows routing and remote access memory corruption vulnerability.
Version 1, June 13, 2006, 3:46 PM: Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with elevated privileges. Patches are available.
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.