Microsoft Windows LSASS Buffer Overrun Vulnerability
BID:10108
Info
Microsoft Windows LSASS Buffer Overrun Vulnerability
| Bugtraq ID: | 10108 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2003-0533 |
| Remote: | Yes |
| Local: | Yes |
| Published: | Apr 13 2004 12:00AM |
| Updated: | Jul 12 2009 04:06AM |
| Credit: | Discovery is credited to eEye Digital Security. |
| Vulnerable: |
Microsoft Windows XP Professional SP1 Microsoft Windows XP Professional Microsoft Windows XP Home SP1 Microsoft Windows XP Home Microsoft Windows XP 64-bit Edition Version 2003 SP1 Microsoft Windows XP 64-bit Edition Version 2003 Microsoft Windows XP 64-bit Edition SP1 Microsoft Windows XP 64-bit Edition Microsoft Windows Server 2003 Web Edition Microsoft Windows Server 2003 Standard Edition Microsoft Windows Server 2003 Enterprise Edition Itanium 0 Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server 2003 Datacenter Edition Itanium 0 Microsoft Windows Server 2003 Datacenter Edition Microsoft Windows 2000 Server SP4 Microsoft Windows 2000 Server SP3 Microsoft Windows 2000 Server SP2 Microsoft Windows 2000 Server SP1 Microsoft Windows 2000 Server Microsoft Windows 2000 Professional SP4 Microsoft Windows 2000 Professional SP3 Microsoft Windows 2000 Professional SP2 Microsoft Windows 2000 Professional SP1 Microsoft Windows 2000 Professional Microsoft Windows 2000 Datacenter Server SP4 Microsoft Windows 2000 Datacenter Server SP3 Microsoft Windows 2000 Datacenter Server SP2 Microsoft Windows 2000 Datacenter Server SP1 Microsoft Windows 2000 Datacenter Server Microsoft Windows 2000 Advanced Server SP4 Microsoft Windows 2000 Advanced Server SP3 Microsoft Windows 2000 Advanced Server SP2 Microsoft Windows 2000 Advanced Server SP1 Microsoft Windows 2000 Advanced Server Avaya S8100 Media Servers 0 Avaya S3400 Message Application Server 0 Avaya IP600 Media Servers Avaya DefinityOne Media Servers |
| Not Vulnerable: | |
Discussion
Microsoft Windows LSASS Buffer Overrun Vulnerability
Microsoft Windows LSASS (Local Security Authority Subsystem Service) is prone to a remotely exploitable buffer overrun vulnerability. The specific vulnerable system component is LSASRV.DLL. Successful exploitation of this issue could allow a remote attacker to execute malicious code on a vulnerable system, resulting in full system compromise.
This issue could be exploited by an anonymous user on Microsoft Windows 2000 and XP operating systems. The issue may reportedly only be exploited by local, authenticated users on Microsoft Windows Server 2003 and Microsoft Windows XP 64-Bit Edition 2003. Microsoft has stated that a local administrator could exploit the issue on these platforms, though this does not appear to pose any additional security risk as the administrator will likely already have complete control over the system.
Microsoft Windows LSASS (Local Security Authority Subsystem Service) is prone to a remotely exploitable buffer overrun vulnerability. The specific vulnerable system component is LSASRV.DLL. Successful exploitation of this issue could allow a remote attacker to execute malicious code on a vulnerable system, resulting in full system compromise.
This issue could be exploited by an anonymous user on Microsoft Windows 2000 and XP operating systems. The issue may reportedly only be exploited by local, authenticated users on Microsoft Windows Server 2003 and Microsoft Windows XP 64-Bit Edition 2003. Microsoft has stated that a local administrator could exploit the issue on these platforms, though this does not appear to pose any additional security risk as the administrator will likely already have complete control over the system.
Exploit / POC
Microsoft Windows LSASS Buffer Overrun Vulnerability
Exploit code has been released.
An additional exploit (HOD-ms04011-lsasrv-expl.c) has been supplied by houseofdabus.
Additional exploit code (xphack.c) also released by Jocanor.
An Exploit has been released for this issue as part of the Metasploit Framework project version 2.2. Various other exploits have been released as well. Please see the Metasploit exploits site in Web references for more information.
CORE has developed a working commercial exploit for their IMPACT
product. This exploit is not otherwise publicly available or known
to be circulating in the wild.
Exploit code has been released.
An additional exploit (HOD-ms04011-lsasrv-expl.c) has been supplied by houseofdabus.
Additional exploit code (xphack.c) also released by Jocanor.
An Exploit has been released for this issue as part of the Metasploit Framework project version 2.2. Various other exploits have been released as well. Please see the Metasploit exploits site in Web references for more information.
CORE has developed a working commercial exploit for their IMPACT
product. This exploit is not otherwise publicly available or known
to be circulating in the wild.
Solution / Fix
Microsoft Windows LSASS Buffer Overrun Vulnerability
Solution:
Avaya has released an advisory to announce that Avaya System Products shipping on Microsoft platforms are also affected by this vulnerability. Avaya advise that customers follow the Microsoft recommendations for the resolution of this issue. The aforementioned advisory can be viewed at the following location:
http://support.avaya.com/japple/css/japple?temp.groupID=&temp.selectedFamily=128451&temp.selectedProduct=154235&temp.selectedBucket=126655&temp.feedbackState=askForFeedback&temp.documentID=161384&PAGE=avaya.css.CSSLvl1Detail&executeTransaction=avaya.css.UsageUpdate()
Microsoft has released fixes to address this issue.
US-CERT has released an advisory TA04-104A to address this and other issues. Please see the referenced advisory for more information.
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows 2000 Professional SP2
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Home
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows XP Home SP1
Microsoft Windows XP 64-bit Edition Version 2003 SP1
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows 2000 Server SP3
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows XP 64-bit Edition Version 2003
Microsoft Windows 2000 Server SP4
Microsoft Windows XP Professional
Microsoft Windows 2000 Professional SP4
Microsoft Windows XP Professional SP1
Solution:
Avaya has released an advisory to announce that Avaya System Products shipping on Microsoft platforms are also affected by this vulnerability. Avaya advise that customers follow the Microsoft recommendations for the resolution of this issue. The aforementioned advisory can be viewed at the following location:
http://support.avaya.com/japple/css/japple?temp.groupID=&temp.selectedFamily=128451&temp.selectedProduct=154235&temp.selectedBucket=126655&temp.feedbackState=askForFeedback&temp.documentID=161384&PAGE=avaya.css.CSSLvl1Detail&executeTransaction=avaya.css.UsageUpdate()
Microsoft has released fixes to address this issue.
US-CERT has released an advisory TA04-104A to address this and other issues. Please see the referenced advisory for more information.
Microsoft Windows 2000 Server SP2
-
Microsoft Security Update for Windows 2000 (KB835732)
http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A -414C-B3EB-D2342FBB6C00&displaylang=en
Microsoft Windows 2000 Advanced Server SP2
-
Microsoft Security Update for Windows 2000 (KB835732)
http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A -414C-B3EB-D2342FBB6C00&displaylang=en
Microsoft Windows XP 64-bit Edition SP1
-
Microsoft Security Update for Windows XP 64 Bit Edition (KB835732)
http://www.microsoft.com/downloads/details.aspx?FamilyId=C6B55EF2-D9FE -4DBE-AB7D-73A20C82FF73&displaylang=en
Microsoft Windows 2000 Advanced Server SP4
-
Microsoft Security Update for Windows 2000 (KB835732)
http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A -414C-B3EB-D2342FBB6C00&displaylang=en
Microsoft Windows 2000 Professional SP3
-
Microsoft Security Update for Windows 2000 (KB835732)
http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A -414C-B3EB-D2342FBB6C00&displaylang=en
Microsoft Windows Server 2003 Enterprise Edition
-
Microsoft Security Update for Windows Server 2003 (KB835732)
http://www.microsoft.com/downloads/details.aspx?FamilyId=EAB176D0-01CF -453E-AE7E-7495864E8D8C&displaylang=en
Microsoft Windows 2000 Professional SP2
-
Microsoft Security Update for Windows 2000 (KB835732)
http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A -414C-B3EB-D2342FBB6C00&displaylang=en
Microsoft Windows Server 2003 Web Edition
-
Microsoft Security Update for Windows Server 2003 (KB835732)
http://www.microsoft.com/downloads/details.aspx?FamilyId=EAB176D0-01CF -453E-AE7E-7495864E8D8C&displaylang=en
Microsoft Windows XP Home
-
Microsoft Security Update for Windows XP (KB835732)
http://www.microsoft.com/downloads/details.aspx?FamilyId=3549EA9E-DA3F -43B9-A4F1-AF243B6168F3&displaylang=en
Microsoft Windows 2000 Advanced Server SP3
-
Microsoft Security Update for Windows 2000 (KB835732)
http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A -414C-B3EB-D2342FBB6C00&displaylang=en
Microsoft Windows XP Home SP1
-
Microsoft Security Update for Windows XP (KB835732)
http://www.microsoft.com/downloads/details.aspx?FamilyId=3549EA9E-DA3F -43B9-A4F1-AF243B6168F3&displaylang=en
Microsoft Windows XP 64-bit Edition Version 2003 SP1
-
Microsoft Security Update for Windows Server 2003 64 Bit Edition and Windows XP 64 Bit Edition Version 2003 (
http://www.microsoft.com/downloads/details.aspx?FamilyId=C207D372-E883 -44A6-A107-6CD2D29FC6F5&displaylang=en
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
-
Microsoft Security Update for Windows Server 2003 64 Bit Edition and Windows XP 64 Bit Edition Version 2003 (
http://www.microsoft.com/downloads/details.aspx?FamilyId=C207D372-E883 -44A6-A107-6CD2D29FC6F5&displaylang=en
Microsoft Windows 2000 Server SP3
-
Microsoft Security Update for Windows 2000 (KB835732)
http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A -414C-B3EB-D2342FBB6C00&displaylang=en
Microsoft Windows Server 2003 Standard Edition
-
Microsoft Security Update for Windows Server 2003 (KB835732)
http://www.microsoft.com/downloads/details.aspx?FamilyId=EAB176D0-01CF -453E-AE7E-7495864E8D8C&displaylang=en
Microsoft Windows XP 64-bit Edition Version 2003
-
Microsoft Security Update for Windows Server 2003 64 Bit Edition and Windows XP 64 Bit Edition Version 2003 (
http://www.microsoft.com/downloads/details.aspx?FamilyId=C207D372-E883 -44A6-A107-6CD2D29FC6F5&displaylang=en
Microsoft Windows 2000 Server SP4
-
Microsoft Security Update for Windows 2000 (KB835732)
http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A -414C-B3EB-D2342FBB6C00&displaylang=en
Microsoft Windows XP Professional
-
Microsoft Security Update for Windows XP (KB835732)
http://www.microsoft.com/downloads/details.aspx?FamilyId=3549EA9E-DA3F -43B9-A4F1-AF243B6168F3&displaylang=en
Microsoft Windows 2000 Professional SP4
-
Microsoft Security Update for Windows 2000 (KB835732)
http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A -414C-B3EB-D2342FBB6C00&displaylang=en
Microsoft Windows XP Professional SP1
-
Microsoft Security Update for Windows XP (KB835732)
http://www.microsoft.com/downloads/details.aspx?FamilyId=3549EA9E-DA3F -43B9-A4F1-AF243B6168F3&displaylang=en
References
Microsoft Windows LSASS Buffer Overrun Vulnerability
References:
References:
- Metasploit Framework Exploits (Metasploit)
- Microsoft Security Bulletin MS04-011 (Microsoft)
- MSRPC LSASS Buffer Overflow exploit (CORE Security)
- Vulnerability Note VU#753212 - Microsoft LSA Service contains buffer overflow in (CERT/CC)
- W32.Janx (Symantec)
- Windows Local Security Authority Service Remote Buffer Overflow (eEye)
- EEYE: Windows Local Security Authority Service Remote Buffer Overflow ("Marc Maiffret"
)