Microsoft Windows ASN.1 Buffer Overflow Vulnerability
Unintended Weakness: Buffer Overflow
2004 February 10 21:33 GMT
2004 February 15 15:03 GMT
Exploit code affecting Windows 2000 Professional and Windows XP has been released to the public. The released code targets the lsass.exe service and results in a denial of service condition.
Microsoft Windows NT, 2000, XP and 2003 contain a vulnerability in the msasn1.dll library that can allow a remote attacker to trigger a buffer overflow on the affected system and overwrite heap memory space. An attacker can exploit the vulnerability in multiple ways to execute arbitrary code on the system with System privileges.
The vulnerability is due to improper bounds checking of overly large payloads in the heap allocation routine. An attacker could exploit the vulnerability by sending a large data payload or an overly long bit string. Either method of exploitation can result in the overwriting of allocated kernel memory space, allowing the execution of arbitrary code.
The Windows operating systems use the
msasn1.dll file in most types of authentication.
Patches are available.
Exploit code is publicly available.
Systems running Windows NT, 2000, XP and 2003 are vulnerable.
Evidence of exploit attempts may appear in system security logs or the IIS logs of SSL-secured sites.
Administrators should apply the available patches as soon as possible, as this vulnerability can be exploited through many different vectors. The vulnerability cannot be mitigated because shutting down affected services essentially renders the system inoperable. Any subsystem that utilizes the Microsoft crypt32.dll library, and thereby utilizing the msasn1.dll library, is susceptible.
Threat Moderate - There is currently no obvious threat publicly available. However, TruSecure believes that critical network security infrastructure components must be patched immediately in order to ensure the trust placed in them.
Vulnerability Prevalence High - Microsoft Security Bulletin
MS04-007 addresses two exploit possibilities for a critical vulnerability in all Microsoft platforms that, if exploited, can result in total system compromise. The most significant aspect of the vulnerabilities is that they exist in critical network security infrastructure components, such as authentication, encryption, and certificate handling.
Cost High - Exploitation of this vulnerability can allow the execution of arbitrary code with System privileges. Systems storing sensitive information, such as financial or customer-related data, could be severely impacted.
Exploits are likely to be attempted by a small group of professional attackers who may gain access to exploit code. Attacks are likely to
target high-profile sites, such as banks and other financial institutions. If exploit code becomes publicly available, malicious code and attack tools are likely to surface that enable low-level attackers to attempt exploits.
Exploit code has been released to the public. The code is effective against Windows 2000 Professional and Windows XP SP 1 and results in a DoS condition. While the current code only results in a DoS condition, it is probable that the code will be modified by others to execute arbitrary code.
Microsoft has released a security bulletin at the following link: MS04-007. Microsoft has released a knowledge base article at the following link: 252648
US-CERT has released a technical cyber security alert at the following link: TA04-041A
A remote attacker could exploit the vulnerability to execute arbitrary code on the affected system with System privileges.
The Microsoft msasn1.dll file is susceptible to multiple integer overflows that can result in allocation of 0 byte memory blocks, allowing the overwriting of system heap space.
The length overflow exploit focuses on the length field of the encoded data. The ASN1BERDecCheck() function verifies that (pointer_to_start_of_data + reported_length_of_data), unsigned, is less than or equal to (pointer_to_start_of_BER_block + total_size_of_BER_block). The system then calls ASN1BERDecLength() and attempts to allocate memory and make a copy of the data through DecMemAlloc(). This function rounds the length up to a DWORD multiple and attempts to allocate the result. If DecMemAlloc()
succeeds, the calling function runs the value data through memcpy() and into the allocated heap buffer, using the original decoded length of the value as the byte count. By supplying an overly large payload to the ASN.1 ASN1BERDecCheck() function, an attacker can cause the pointer to wrap 32-bit address space, resulting in a valid but incorrect data length. This causes memcpy() to copy the data into heap memory, allowing the execution of any included arbitrary code.
The bit string exploit of the msasn1.dll library is similar to the length overflow exploit, but is specific to bit string values. The ASN1BERDecBitString() and ASN1BERDecBitString2() functions report length in terms of bits, but
the functions do not copy an amount of data based on the range number of the bit. The ASN1BERDecBitString()functions attempt to copy the length of data minus one byte, and ASN1BERDecBitString2() returns a pointer to the original BER-encoded block and the bit length of the data. Heap memory can be overwritten when a simple bit string has a specific length that results in a total length of zero bytes when encoding is complete. The zero sum is passed to the DecMemReAlloc() function to allocate a zero-length block but the original length is passed to the ASN1bitcpy() function, which performs a typical memcpy() function and overwrites heap memory.
Windows NT Workstation, Server and Terminal
Server do not have the msasn1.dll file by default. The file was installed on these systems with the patch provided in Microsoft Security Bulletin MS03-041. If this update has not been installed, Windows NT is not vulnerable to these exploits.
The publicly released exploit code targets the lsass.exe service via ports 135/tcp, 139/tcp and 445/tcp on Windows 2000 Professional and Windows XP SP1 and crashes the service. The crash will log an error message indicating that the security package Negotiate generated an exception and is shutting down. The exploit reportedly triggers a reboot approximately one minute following the crash.
Administrators are advised to install the available patches.
TruSecure recommends that customers take immediate action and apply the MS04-007 patch to critical servers. Administrators should especially consider management environments that maintain user databases, financial records, or company certificates or products of those certificates, such as encrypted data.
In particular, TruSecure recommends that administrators immediately apply this patch to the following types of systems:
Internet Information Servers which use certificates (SSL - client or server)
VPN and Firewall appliances which accept authenticated
Microsoft has released patches at the following links:
Version 3, February 11, 2004, 3:47 PM: US-CERT has released a technical cyber security alert addressing the ASN.1 buffer overflow vulnerability. CERT has released an additional vulnerability note to address the vulnerability.
Version 2, February 10, 2004, 5:23 PM: This is TruSecure Action Alert TSA 04-002. The TruSecure Research Team has determined that this vulnerability presents a serious threat to its clients and has provided additional information describing the Ballistic Threat of this vulnerability, as well as additional safeguards. TruSecure has assigned this issue a TEP rating of Hot.
Version 1, February 10, 2004, 4:33 PM: Microsoft Windows contains a vulnerability in
msasn1.dll that can allow a remote attacker to trigger a buffer overflow and execute arbitrary code on the affected system. Patches are available.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.