Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Vulnerability Alert

Microsoft Windows ASN.1 Buffer Overflow Vulnerability

 
Threat Type:CWE-119: Buffer Errors
IntelliShield ID:7251
Version:4
First Published:2004 February 10 21:33 GMT
Last Published:2004 February 15 15:03 GMT
Port: 135, 139, 443, 445, 80, 88
CVE:CVE-2003-0818 , CVE-2005-1935
Urgency:Possible use
Credibility:Confirmed
Severity:Heavy Damage
 
Version Summary:

Exploit code affecting Windows 2000 Professional and Windows XP has been released to the public.? The released code targets the lsass.exe service and results in a denial of service condition.

 
 
Description

Microsoft Windows NT, 2000, XP and 2003 contain?a vulnerability in the?msasn1.dll library that can allow a remote attacker to trigger a buffer overflow on the affected system and overwrite heap memory space.??An attacker can exploit the vulnerability?in multiple ways to execute arbitrary code on the system with System privileges.

The vulnerability is due to improper bounds checking of overly large payloads in the heap allocation routine.? An attacker could exploit the vulnerability by sending a large data payload or an overly long bit string.? Either method of exploitation can result in the overwriting of allocated kernel memory space, allowing the execution of arbitrary code.

The Windows operating systems use the msasn1.dll file in most types of authentication.

Patches are available.

Exploit code is publicly available.

 
Warning Indicators

Systems running Windows NT, 2000, XP and 2003 are vulnerable.

Evidence of exploit attempts may appear in system security logs or the IIS logs of SSL-secured sites.

 
IntelliShield Analysis

Administrators should apply the available patches as soon as possible, as this vulnerability can be exploited through many different vectors.? The vulnerability cannot be mitigated because shutting down affected services essentially renders the system inoperable.? Any subsystem that utilizes the Microsoft crypt32.dll library, and thereby utilizing the msasn1.dll library, is susceptible.

Threat
Moderate - There is?currently no obvious threat publicly available.? However,?TruSecure believes that critical network security infrastructure components must be patched immediately in order to ensure the trust placed in them.

Vulnerability Prevalence
High - Microsoft Security Bulletin MS04-007 addresses?two exploit possibilities for a critical vulnerability in all Microsoft platforms that, if exploited, can result in total system compromise.??The most significant aspect of the vulnerabilities is that they exist in critical network security infrastructure components, such as authentication, encryption, and certificate handling.

Cost
High - Exploitation of this vulnerability?can allow the execution of arbitrary code with System privileges.? Systems storing sensitive information, such as financial or customer-related data, could be severely impacted.

Exploits are likely to be attempted by a small group of professional attackers who may gain access to exploit code.? Attacks are likely to target high-profile sites, such as banks and other financial institutions.? If exploit code becomes publicly available, malicious code and attack tools are likely to surface that enable low-level attackers to attempt exploits.

Exploit code has been released to the public.? The code is effective against Windows 2000 Professional and Windows XP SP 1 and results in a DoS condition.? While the current code only results in a DoS condition, it is probable that the code will be modified by others to execute arbitrary code.

 
Vendor Announcements

Microsoft has released a security bulletin at the following link: MS04-007.? Microsoft has released a knowledge base article at the following link: 252648

CERT has released vulnerability notes at the following links: VU#216324?and VU#583108

US-CERT has released a technical cyber security alert at the following link: TA04-041A

 
Impact

A remote attacker could exploit the vulnerability to execute arbitrary code on the affected system with?System privileges.

 
Technical Information

The Microsoft msasn1.dll file is susceptible to multiple integer overflows that can result in allocation of 0 byte memory blocks, allowing the overwriting of system heap space.

The length overflow exploit focuses on the length field of the encoded data.? The ASN1BERDecCheck()?function verifies that (pointer_to_start_of_data + reported_length_of_data), unsigned, is less than or equal to (pointer_to_start_of_BER_block + total_size_of_BER_block).? The system then calls ASN1BERDecLength() and?attempts to allocate memory and make a copy of the data through DecMemAlloc(). This function rounds the length up to a DWORD multiple and?attempts to allocate the result.??If DecMemAlloc() succeeds, the calling function?runs the value data through memcpy() and into the allocated heap buffer, using the original decoded length of the value as the byte count.? By supplying an overly large payload to the ASN.1 ASN1BERDecCheck() function, an attacker can cause the pointer to wrap 32-bit address space, resulting in a valid but incorrect data length.? This causes memcpy() to copy the data into?heap memory, allowing the execution of any included arbitrary code.

The bit string exploit of the msasn1.dll library is similar to the length overflow exploit, but is specific to bit string values.? The ASN1BERDecBitString() and ASN1BERDecBitString2() functions report?length in terms of bits, but the functions do not copy an amount of data based on the?range number of the bit.? The ASN1BERDecBitString()functions attempt to copy the length of data minus one byte, and?ASN1BERDecBitString2()?returns a pointer to the original BER-encoded block and the bit length of the data.? Heap memory can be overwritten when a simple bit string has a specific length that results in a total length of zero bytes when encoding is complete.? The zero sum is passed to the DecMemReAlloc() function to allocate a zero-length block but the original length is passed to the ASN1bitcpy() function, which?performs a typical memcpy() function and overwrites?heap memory.?

Windows NT Workstation, Server and Terminal Server do not have the msasn1.dll file by default.? The file was installed on these systems with the patch provided in Microsoft Security Bulletin MS03-041.? If this update has not been installed, Windows NT is not vulnerable to these exploits.

The publicly released exploit code targets the lsass.exe service via ports 135/tcp, 139/tcp and 445/tcp on Windows 2000 Professional and Windows XP SP1 and crashes the service.? The crash will log an error message indicating that the security package Negotiate generated an exception and is shutting down.? The exploit reportedly triggers a reboot approximately one minute following the crash.

 
Safeguards

Administrators are advised to install the available patches.

TruSecure recommends that customers take immediate action and apply the MS04-007 patch to critical servers.? Administrators should especially consider management environments that maintain user databases, financial records, or company certificates or products of those certificates, such as encrypted data.

In particular, TruSecure recommends that administrators immediately apply this patch to the following types of systems:

  • Domain Controllers
  • Exchange Servers
  • Internet Information Servers which use certificates (SSL - client or server)
  • VPN and Firewall appliances which accept authenticated connections


?

 
Patches/Software

Microsoft has released patches at the following links:

Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Server 4.0 SP6a
Microsoft Windows NT Server 4.0 Terminal Server Edition SP6a
Microsoft Windows 2000
Microsoft Windows XP

Microsoft Windows XP 64-Bit Edition
Microsoft Windows XP 64-Bit Edition Version 2003
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-Bit Edition


Signatures
 
Cisco Intrusion Prevention System (IPS) 6.0
Signature IDSignature NameReleaseLatest Release Date
3336/0Windows ASN.1 Bit String NTLMv2 Integer OverflowS3962009 Apr 21 
3347/0Windows ASN.1 Library Bit String Heap CorruptionS7572013 Dec 03 
3347/1Windows ASN.1 Library Bit String Heap CorruptionS5552011 Mar 29 
3347/2Windows ASN.1 Library Bit String Heap CorruptionS5552011 Mar 29 
5600/0Windows ASN.1 Bit String NTLMv2 Integer OverflowS4482009 Nov 13 
18180/0Microsoft ASN.1 DoSS4292009 Sep 03 
Cisco Small Business IPS
Signature IDSignature NameReleaseLatest Release Date
SBIPS2009-000246/Windows ASN.1 Library Bit String Heap CorruptionSBIPS0000012010 Jan 15 
SBIPS2009-001171/Microsoft ASN.1 DoSSBIPS0000012010 Jan 15 
SBIPS2010-000041/Windows ASN.1 Bit String NTLMv2 Integer OverflowSBIPS0000042010 Jun 10 
 
Alert History
 

Version 3, February 11, 2004, 3:47 PM: US-CERT has released a technical cyber security alert addressing the ASN.1 buffer overflow vulnerability.??CERT has released an additional vulnerability note to?address the vulnerability.

Version 2, February 10, 2004, 5:23 PM: This is TruSecure Action Alert TSA 04-002.? The TruSecure Research Team has determined that this vulnerability presents a serious threat to its clients and has provided additional information describing the Ballistic Threat of this vulnerability, as well as additional safeguards.? TruSecure has assigned this issue a TEP rating of Hot.

Version 1, February 10, 2004, 4:33 PM: Microsoft Windows contains?a vulnerability in msasn1.dll that can allow a remote attacker to trigger a buffer overflow and execute arbitrary code on the affected system.? Patches are available.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
Microsoft, Inc.Windows 2000 Advanced Server Base, SP1, SP2, SP3, SP4 | Datacenter Server Base, SP1, SP2, SP3, SP4 | Professional Base, SP1, SP2, SP3, SP4 | Server Base, SP1, SP2, SP3, SP4
Microsoft, Inc.Windows NT 4.0 Base, SP1, SP2, SP3, SP4, SP5, SP6a
Microsoft, Inc.Windows NT Server 4.0 Base, SP1, SP2, SP3, SP4, SP5, SP6, SP6a
Microsoft, Inc.Windows NT Server Enterprise Edition 4.0 Base, SP1, SP2, SP3, SP4, SP5, SP6, SP6a
Microsoft, Inc.Windows NT Terminal Server Original Release Base | 4.0 Base, SP1, SP2, SP3, SP4, SP5, SP6, SP6a
Microsoft, Inc.Windows Server 2003 Datacenter Edition Base | Datacenter Edition, 64-bit (Itanium) Base | Enterprise Edition Base | Enterprise Edition, 64-bit (Itanium) Base | Standard Edition Base | Web Edition Base
Microsoft, Inc.Windows XP Home Edition Base, SP1 | Professional Edition Base, SP1 | Professional Edition, 64-bit (Itanium) Base, SP1

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield