Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Protection against Microsoft Message Queuing Buffer Overflow Vulnerability (MS05-017)

Attack ID: CPAI-2005-112
Publish Date:
Category: Microsot Windows networks
Vulnerable Systems: Microsoft Corporation Windows 2000 SP3
Microsoft Corporation Windows 2000 SP4
Microsoft Corporation Windows XP SP1 and SP2
Microsoft Corporation Windows XP 64-Bit Edition SP1
Microsoft Corporation Windows 98
Microsoft Corporation Windows 98 SE
Source: Microsoft Security Bulletin MS05-017
Description: Microsoft Windows Message Queuing (MSMQ) enables applications that are running at different times to communicate across heterogeneous networks and across systems that may be temporarily offline. A vulnerability in the way the Message Queuing component handles messages enables an attacker to cause a DoS condition or to inject malicious code into the system. Note that MSMQ is not installed by default on the affected platforms and must be manually installed for a computer to be vulnerable.
Severity:
Details:

The MSMQ server allows various methods of message transfer, some of these methods include Remote Procedure Call (RPC) and HTTP Message Delivery. A vulnerability exists in the way an MSMQ server parses messages received by RPC. By constructing a malicious message with a string that exceeds 300 bytes in length it is possible to cause a buffer overflow in the vulnerable component.

Attack Detection:

Users of VPN-1 NG with Application Intelligence R55W, users of VPN-1 NGX R60 and users of InterSpect who have enabled the protection described below will identify the attack by the following log entry:

Attack Name: MS Message Queuing Protection Violation
Attack Information: Buffer Overflow Attempt

Users of VPN-1 NG with Application Intelligence R55 will identify rule 99135 on the Smartview Tracker screen.

Attempts to conceal attack attempts within multiple bind calls will generate the following logs:
Users of VPN-1 NG with application Intelligence R55W, VPN-1 NGX R60 and users of InterSpect will identify the following log entries:

Attack Name: DCE-RPC enforcement
Attack Information: Unallowed number of context items in Bind/Alter context request

Users of VPN-1 NG with Application Intelligence R55 will identify rule 92101 on the SmartView Tracker.

Solution: Users of VPN-1 NG with Application Intelligence R55 and R55W, users of VPN-1 NGX R60 and users of InterSpect should update their SmartDefense by clicking Online Update (R55 - Update Now) in the SmartDashboard General window.

The Update blocks the vulnerability by validating the length of DCE/RPC bind packets.

To enable the protection:

1. On the SmartDefense navigation tree, click Application intelligence > Microsoft Windows and enable Block Message Queuing Buffer Overflow.



2. Install security policy on all modules.
Industry Reference: CAN-2005-0059
Additional Information: