Microsoft KB Archive/815021

= MS03-007: Unchecked buffer in Windows component may cause Web Server compromise =

Article ID: 815021

Article Last Modified on 12/1/2007

-

APPLIES TO


 * Microsoft Windows XP Professional x64 Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT Server 4.0, Terminal Server Edition
 * Microsoft Windows NT Workstation 4.0 Developer Edition

-



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



Microsoft originally released this article March 17, 2003. At that time, Microsoft was aware of a publicly available exploit that was being used to attack Windows 2000 Servers running IIS 5.0. The attack vector in this case was WebDAV although the underlying vulnerability was in a core operating system component, Ntdll.dll. Microsoft issued a patch to protect Windows 2000 customers shortly afterwards, but also continued to investigate the underlying vulnerability. Windows NT 4.0 also contains the underlying vulnerability in Ntdll.dll, however it does not support WebDAV and therefore the known exploit was not effective against Windows NT 4.0. Microsoft has now released patches for Windows NT 4.0. Additionally, Microsoft recently learned of this vulnerability in Windows XP. However, like Windows NT 4.0, Windows XP does not install Internet Information Services (IIS) by default. On May 28, 2003, Microsoft released a patch for Windows XP and Windows XP Service Pack 1.



Warning If you are running Windows 2000 Service Pack 2 (SP2), you must check the version of Ntoskrnl.exe on your computer before you install this patch. To do this:
 * 1) Open the %Windir%\System32 folder.
 * 2) Right-click the Ntoskrnl.exe file, click Properties, and then click the Version tab.

Versions of Ntoskrnl.exe from 5.0.2195.4797 to 5.0.2195.4928 are not compatible with this patch. These versions were distributed only with Microsoft Product Support Services hotfixes. If you install the patch that is described in this article on a computer with an Ntoskrnl.exe version from 5.0.2195.4797 to 5.0.2195.4928, the computer stops responding with a &quot;Stop 0x00000071&quot; message when you restart the computer. If this occurs, you must recover the Windows installation by using Windows 2000 Recovery Console and the backup copy of the Ntdll.dll file that is stored in the Winnt\$NTUninstallQ815021$ folder.

To update a computer that has a version of Ntoskrnl.exe that was distributed by Microsoft Product Support Services, you must first contact Microsoft Product Support Services before you apply this patch. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/selectassist

Or, you can upgrade to Windows 2000 Service Pack 3 (SP3) before you install this patch.



SYMPTOMS
Windows 2000 supports the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol. WebDAV, as it is described in RFC 2518, is a set of extensions to Hypertext Transfer Protocol (HTTP) that provide a standard for editing and file management between computers on the Internet. To view RFC 2518, visit the following RFC Web site:

ftp://ftp.rfc-editor.org/in-notes/rfc2518.txt

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

A security vulnerability exists in a Windows component that is used by WebDAV. This vulnerability occurs because the component contains an unchecked buffer.

An attacker may exploit the vulnerability by sending a specially formed HTTP request to a computer running Microsoft Internet Information Services (IIS). The request may cause the server to fail or to run code of the attacker's choice. The code would run in the security context of the IIS service. (By default, the IIS service runs in the LocalSystem context).

Although Microsoft has supplied a patch for this vulnerability and recommends that you install it immediately, additional tools and preventive measures have been provided that you can use to block the exploitation of this vulnerability while you assess the impact and compatibility of the patch. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

258868 Slipstream Switch for Windows 2000 Service Pack Update.exe Does Not Work with RIS Server Images

Mitigating factors
 The default configuration of URLScan prevents the vulnerability from being exploited. URLScan is a part of the IIS Lockdown tool. For more information about URLScan, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/tools/urlscan.mspx

For more information about the IIS Lockdown tool, visit the following Web site:

http://www.microsoft.com/technet/security/tools/locktool.mspx

 The vulnerability can only be exploited remotely if an attacker can establish a Web session with an affected server.



Windows XP
To resolve this problem, obtain the latest service pack for Microsoft Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

Windows 2000
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

Windows XP
Download information

The following files are available for download from the Microsoft Download Center:

Windows XP (all languages)

Download the 815021 package now.

Windows XP 64-Bit Edition

Download the 815021 package now.

Release Date: May 28, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites

This patch requires the released version of Windows XP or Windows XP Service Pack 1 (SP1). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to Obtain the Latest Windows XP Service Pack

Installation information

This patch supports the following Setup switches:
 * /?: Display the list of installation switches.
 * /u: Use Unattended mode.
 * /f: Force other programs to quit when the computer shuts down.
 * /n: Do not back up files for removal.
 * /o: Overwrite OEM files without prompting.
 * /z: Do not restart when installation is complete.
 * /q: Use Quiet mode (no user interaction).
 * /l: List installed hotfixes.
 * /x: Extract the files without running Setup.

For example, to install the patch without any user intervention and to not force the computer to restart, use the following command line:

q815021_wxp_sp2_x86_enu /u /q /z

To verify that the patch is installed on your computer, confirm that the following registry key exists:

Removal information

To remove this update, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this patch. Spuninst.exe is in the \$NTUninstallQ815021$\Spuninst folder, and it supports the following Setup switches:
 * /?: Display the list of installation switches.
 * /u: Use unattended mode.
 * /f: Force other programs to quit when the computer shuts down.
 * /z: Do not restart when installation is complete.
 * /q: Use Quiet mode (no user interaction).

Restart requirement

You must restart your computer after you apply this patch because Ntdll.dll is a core system binary file that is loaded during system startup. Your computer is vulnerable until you restart it.

File information

The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows XP   Date         Time   Version        Size     Path and file name -  02-May-2003  15:03  5.1.2600.114   651,264  %Windir%\System32\Ntdll.dll  pre-SP1 01-May-2003 20:56  5.1.2600.1217  654,336  %Windir%\System32\Ntdll.dll  with SP1

Windows XP 64-Bit Edition   Date         Time   Version        Size       Path and file name 02-May-2003 15:03  5.1.2600.114   1,498,112  %WinDir%\System32\Ntdll.dll   pre-SP1 01-May-2003 14:57  5.1.2600.114     654,336  %WinDir%\System32\Wntdll.dll  pre-SP1 01-May-2003 20:56  5.1.2600.1217  1,508,864  %WinDir%\System32\Ntdll.dll   with SP1 30-Apr-2003 21:43  5.1.2600.1217    657,408  %WinDir%\System32\Wntdll.dll  with SP1 You can also verify the files that this patch installed by reviewing the following registry key:

 

Windows 2000
Download information

The following files are available for download from the Microsoft Download Center:

All Languages Except Japanese NEC

Download the 815021 package now.

Japanese NEC

Download the 815021 package now.

Release Date: March 17, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. Prerequisites

This patch requires Windows 2000 Service Pack 2 (SP2) or Windows 2000 Service Pack 3 (SP3). To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the Latest Windows 2000 service pack

Note If you are using Windows 2000 Service Pack 2 (SP2), see the warning at the beginning of this article before you apply this patch.

Installation information

This patch supports the following Setup switches:
 * /? : Display the list of installation switches.
 * /u : Use Unattended mode.
 * /f : Force other programs to quit when the computer shuts down.
 * /n : Do not back up files for removal.
 * /o : Overwrite OEM files without prompting.
 * /z : Do not restart when installation is complete.
 * /q : Use Quiet mode (no user interaction).
 * /l : List installed hotfixes.
 * /x : Extract the files without running Setup.

For example, to install the patch without any user intervention, and then to not force the computer to restart, use the following command line:

q815021_w2k_sp4_x86_en /u /q /z

To verify the patch is installed on your computer, confirm that the following registry key exists:

 

Removal information

You can remove this patch by using the Add/Remove Programs tool in Control Panel to remove &quot;Windows 2000 Hotfix (SP4) Q815021.&quot;

System administrators can use the Spunist.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallQ815021$\Spuninst folder, and it supports the following Setup switches:
 * /? : Display the list of installation switches.
 * /u : Use unattended mode.
 * /f : Force other programs to quit when the computer shuts down.
 * /z : Do not restart when installation is complete.
 * /q : Use Quiet mode (no user interaction).

Restart requirement

You must restart your computer after you apply this patch because Ntdll.dll is a core system binary that is loaded during system startup. Your computer is vulnerable until you restart it.

File information

The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

  Date         Time   Version        Size     Path and file name ---  15-Mar-2003  01:23  5.0.2195.6685  476,944  %Windir%\System32\Ntdll.dll

You can also verify the files that this patch installed by reviewing the following registry key:

 



Windows NT 4.0 (all versions)
Microsoft Internet Information Server (IIS) is not intended for use on Windows NT Server 4.0, Terminal Server Edition, and is not supported. Microsoft recommends that customers who run IIS 4.0 on Windows NT Server 4.0, Terminal Server Edition, protect their systems by removing IIS 4.0.

Download information

The following files are available for download from the Microsoft Download Center:

Windows NT 4.0:

All languages except Japanese NEC and Chinese - Hong Kong:

Download the 815021 package now.

Japanese NEC:

Download the 815021 package now.

Chinese - Hong Kong:

Download the 815021 package now.

Windows NT Server 4.0, Terminal Server Edition:

All languages:

Download the 815021 package now.

Release Date: April 23, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites

This patch requires Windows NT 4.0 Service Pack 6a (SP6a) or Windows NT Server 4.0, Terminal Server Edition Service Pack 6 (SP6). For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

152734 How to Obtain the Latest Windows NT 4.0 Service Pack

Installation information

This patch supports the following Setup switches:
 * /y : Perform removal (only with /m or /q ).
 * /f : Force programs to be closed at shutdown.
 * /n : Do not create an Uninstall folder.
 * /z : Do not restart when update completes.
 * /q : Use Quiet or Unattended mode with no user interface. (This switch is a superset of /m .)
 * /m : Use Unattended mode with user interface.
 * /l : List installed hotfixes.
 * /x : Extract the files without running Setup.

To verify the patch is installed on your computer, confirm that the following registry key exists:

 

For example, to install the patch without any user intervention, and then to not force the computer to restart, use the following command line:

q815021i /q /z

Removal information

To remove this patch, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallQ815021$\Spuninst folder, and it supports the following Setup switches:
 * /? : Display the list of installation switches.
 * /u : Use unattended mode.
 * /f : Force other programs to quit when the computer shuts down.
 * /z : Do not restart when installation is complete.
 * /q : Use Quiet mode (no user interaction).

Restart requirement

You must restart your computer after you apply this patch because Ntdll.dll is a core system binary that is loaded during system startup. Your computer is vulnerable until you restart it.

File information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

  Date         Time   Version         Size     Path and File name           OS   24-Mar-2003  10:38  4.0.1381.7212   367,376  %WinDir%\System32\Ntdll.dll  Windows NT 4.0 24-Mar-2003 07:12  4.0.1381.33546  369,936  %WinDir%\System32\Ntdll.dll  TSE

<div class="status_section">

STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed in the &quot;Applies to&quot; section.

Windows XP
This problem was first corrected in Microsoft Windows XP Service Pack 2.

Windows 2000
This problem was first corrected in Microsoft Windows 2000 Service Pack 4.

<div class="moreinformation_section">

MORE INFORMATION
For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx

Additional query words: security_patch Session5_initialization_failed Stop 0x71

Keywords: kbhotfixserver kbqfe atdownload kbwinxpsp2fix kbenv kbwin2ksp4fix kbwinxppresp2fix kbwin2000presp4fix kbsecvulnerability kbsecurity kbsecbulletin kbfix kbbug KB815021

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.