Signature Detail

NETBIOS: WINS Server Name Overflow

This signature detects attempts to exploit a known vulnerability against NetBIOS WINS servers. Attackers can send an overly long server name parameter to overflow the stack buffer and execute arbitrary code.

Extended Description

It is reported that the WINS replication protocol contains a vulnerability that when exploited will result in memory corruption. The issue exists due to a protocol design flaw that allows a remote user to specify the location of an association context data structure in memory. Because the attacker may control the location of the data structure, this vulnerability may be exploited to corrupt process memory. This issue could potentially be exploited remotely by a WINS client to execute arbitrary code with SYSTEM level privileges on a target WINS server. The service may be exposed via TCP/UDP port 42 by default, but the vendor has stated that other attack vectors may exist though none are known at this time. The WINS service is not installed by default on most Microsoft Windows platforms. ** UPDATE: The WINS service is installed and enabled by default on Microsoft Small Business Server 2000/2003. However, the ports used for the service are reportedly not remotely accessible by default on Small Business Server.

Affected Products

• Microsoft Small Business Server 2000
• Microsoft Small Business Server 2003
• Microsoft Windows 2000 Advanced Server SP1
• Microsoft Windows 2000 Advanced Server SP2
• Microsoft Windows 2000 Advanced Server SP3
• Microsoft Windows 2000 Advanced Server SP4
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Datacenter Server SP1
• Microsoft Windows 2000 Datacenter Server SP2
• Microsoft Windows 2000 Datacenter Server SP3
• Microsoft Windows 2000 Datacenter Server SP4
• Microsoft Windows 2000 Datacenter Server
• Microsoft Windows 2000 Professional SP1
• Microsoft Windows 2000 Professional SP2
• Microsoft Windows 2000 Professional
• Microsoft Windows 2000 Server SP1
• Microsoft Windows 2000 Server SP2
• Microsoft Windows 2000 Server SP3
• Microsoft Windows 2000 Server SP4
• Microsoft Windows 2000 Server
• Microsoft Windows NT Enterprise Server 4.0
• Microsoft Windows NT Enterprise Server 4.0 SP1
• Microsoft Windows NT Enterprise Server 4.0 SP2
• Microsoft Windows NT Enterprise Server 4.0 SP3
• Microsoft Windows NT Enterprise Server 4.0 SP4
• Microsoft Windows NT Enterprise Server 4.0 SP5
• Microsoft Windows NT Enterprise Server 4.0 SP6
• Microsoft Windows NT Enterprise Server 4.0 SP6a
• Microsoft Windows NT Server 4.0
• Microsoft Windows NT Server 4.0 SP1
• Microsoft Windows NT Server 4.0 SP2
• Microsoft Windows NT Server 4.0 SP3
• Microsoft Windows NT Server 4.0 SP4
• Microsoft Windows NT Server 4.0 SP5
• Microsoft Windows NT Server 4.0 SP6
• Microsoft Windows NT Server 4.0 SP6a
• Microsoft Windows NT Terminal Server 4.0
• Microsoft Windows NT Terminal Server 4.0 SP1
• Microsoft Windows NT Terminal Server 4.0 SP2
• Microsoft Windows NT Terminal Server 4.0 SP3
• Microsoft Windows NT Terminal Server 4.0 SP4
• Microsoft Windows NT Terminal Server 4.0 SP5
• Microsoft Windows NT Terminal Server 4.0 SP6
• Microsoft Windows NT Terminal Server 4.0 SP6a
• Microsoft Windows Server 2003 Datacenter Edition
• Microsoft Windows Server 2003 Datacenter Edition Itanium
• Microsoft Windows Server 2003 Enterprise Edition
• Microsoft Windows Server 2003 Enterprise Edition Itanium
• Microsoft Windows Server 2003 Standard Edition
• Microsoft Windows Server 2003 Web Edition

References

• BugTraq: 11763
• CVE: CVE-2004-0567