Microsoft Windows Workstation Service Buffer Overrun

Buffer overrun vulnerability was discovered in the Microsoft Windows Workstation service. This vulnerability can be exploited via SMB/CIFS and may lead to remote code execution.

The Workstation service is in charge of routing requests for local or remote resources (files or printers). It determines the location of these resources (local or remote) and routes the requests appropriately.

The vulnerability is a buffer overrun in a logging function within a network management function in the service. By passing overly long parameters to this function, a buffer will be overrun. A specially crafted command may use this buffer overrun and cause the attacker's choice of code to be remotely executed on the victim's machine.

The management function is called via a DCE-RPC interface over SMB (CIFS) protocol communication.

Users of FireWall-1 with NG with Application Intelligence can protect against this attack by defining a new CIFS worm catcher pattern.

1. In the SmartDefense tab, enable 'Application Intelligence'->'Microsoft Networks'->'File and Print Sharing'.
2. Click on the 'Add' button to add a new worm pattern:

   Name: Workstation Service (MS03-049)

   Pattern string: \\wkssvc$

   Note: You can click on 'Recalculate' to verify the checksum of the pattern – 0xde4d0c43

3. In 'Application Intelligence' -> 'Microsoft Networks', select if you'd like the configuration to apply to all connection or only to those related to resources used in the Rule Base
4. Install Policy.

Note: This pattern will block the Windows Workstation service completely and may cause severe remote file and print sharing connectivity issues. It is recommended to disable it after all nodes are patched with Microsoft patch KB828749 which solves this issue.

More information is provided in Microsoft's website below.