Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Windows 2000 Buffer Overflow

Attack ID: CPAI-2003-08
Publish Date:
Category: Windows 2000 Buffer Overflow
Vulnerable Systems: Windows 2000 Professional and Server
Source: Microsoft TechNet
NGSSoftware
Description: A recent analysis of Microsoft WebDAV security vulnerability (MS03-007) written by David Litchfield from NGSSoftware, indicates that there are many more potential vulnerabilities and attacks against Windows 2000 systems that can lead to successful Windows compromise.
Severity:
  Security researchers at NGSSoftware have already discovered several new attack vectors and believe there will be many that will come to light over the next few weeks.
Details: Security researchers at NGSSoftware have already discovered several new attack vectors that provide ways for an attacker to "access" the vulnerability. Likely areas will be Non-MS web and ftp servers, IMAP servers, Anti-Virus solutions and other MS Windows Services. Consequently, NGSSoftware believes that every Windows 2000 server or workstation should be patched, and patched as soon as possible – regardless of whether the box is running IIS or not.
Attack Detection: For the original WebDAV exploit see CPSA-2003-03. Security administrators that would apply the suggest solution, (as described below at the Solution section), will be able to detect vulnerable systems using the SmartView Tracker. The following error message will appear for each user without the proper security patch:

message_info: Client's configuration is not verified
Solution:

The solution is based on securing remote users, which using a VPN tunnel can be used as a bridge for attackers to penetrate the organization internal networks. The following solution ensures that only secured and patched systems will be able to connect to the VPN domain.

Security Administrators should verify that the precaution procedure described at CPSA-2003-03 is performed. In order to verify that remote users (using SecureClient only) installed the suggested patch, perform the following tasks.

  1. Verify that a Policy Server is configured on the gateway.
  2. Configure SCV Hotfix monitor to verify that the patch is installed on the client's machine.
  3. Security Administrators that are not using SCV should perform the following tasks:
    1. Install the attached SCV policy that verifies the presence of the patch. Users that violate this policy will receive the following message:

      Please install patch Q815021. See http://support.microsoft.com/default.aspx?scid=kb;en-us;815021
    2. Users without this patch will not be able to login to the VPN domain

Security administrators that are using SCV should make the following changes to local.scv file:

  1. Add the new test to local.scv.

    If you are already using SCV Hot fix monitor , simply merge the following statements to your HotFixMonitor section.

    If you are not using SCV Hot fix monitor, simply copy & paste the following section (you should override any existing HotFixMonitor section).

    : (HotFixMonitor

    :type (plugin)

    :parameters (

    :815021 (true)

    :begin_admin (admin)

    :send_log (alert)

    :mismatchmessage ("Please install patch Q815021. See http://support.microsoft.com/default.aspx?scid=kb;en-us;815021")

    :end (admin)

    )

    )

  2. Enforcing the new test.

    Simply merge the following statement to your SCVPolicy section:

    SCVPolicy (
    : (HotFixMonitor)
    )

Installing the SCV policy:

The attached zip file contains two files:

  • scvprod.exe - A self extracting/installing SCV package from FP3. This package will install itself on a computer running SecureClient versions FP2 and above. The package stops the running SecureClient , installs DLLs, Register them and restart the SecureClient. No reboot is necessary. Note that administrative privilege is required.
  • local.scv - short policy file explaining how to configure the hotfix monitor policy. the local.scv file should be placed in the $FWDIR/conf directory of the management server. If there is already a local.scv file, in order to keep the previous SCV settings, merge the content of both files. After it was placed, A desktop policy should be installed.

Urgent Advisory includes download SCV Policy
Industry Reference:
Additional Information: Microsoft Patch Q815021