Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > July 2006 > Two Microsoft Security Bulletins: 1. MS06-035 - Vulnerability in Server Service Could Allow Remote Code Execution 2. MS06-033 - Vulnerability in ASP.NET Could Allow Information Disclosure

July 2006

Two Microsoft Security Bulletins: 1. MS06-035 - Vulnerability in Server Service Could Allow Remote Code Execution 2. MS06-033 - Vulnerability in ASP.NET Could Allow Information Disclosure

ID: 00475
Ref: 461/2006
Date: 12 July 2006:14:15:17
Version: 1
Title: Two Microsoft Security Bulletins: 1. MS06-035 - Vulnerability in Server Service Could Allow Remote Code Execution 2. MS06-033 - Vulnerability in ASP.NET Could Allow Information Disclosure
Abstract:
Vendors affected: Microsoft
Operating systems affected: Microsoft
Applications affected: Microsoft
Title
=====

Two Microsoft Security Bulletins:

1. MS06-035 - Vulnerability in Server Service Could Allow Remote Code Execution

2. MS06-033 - Vulnerability in ASP.NET Could Allow Information Disclosure

Detail
======

1. This bulletin refers to two separate vulnerabilities. The more
serious of the two may allow the remote execution of arbitrary
code. The other is an information disclosure vulnerability. Note
that both of these vulnerabilities are fixed by the patch.

2. This Information Disclosure vulnerability could allow an attacker to bypass
ASP.Net security and gain unauthorized access to objects in the Application
folders explicitly by name. Note that this vulnerability would not allow an
attacker to execute code or to elevate their user rights directly, but it
could be used to produce useful information that could be used to try to
further compromise the affected system.




1.



- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================


MS06-035 Vulnerability in Server Service Could Allow Remote Code Execution
12 July 2006

===========================================================================



Product: Server service
Publisher: Microsoft
Operating System: Windows Server 2003 x64 Edition
Windows Server 2003 Itanium SP1
Windows Server 2003 Itanium
Windows Server 2003 SP1
Windows Server 2003
Windows XP Professional x64 Edition
Windows XP SP1 and SP2
Windows 2000 SP 4
Impact: Execute Arbitrary Code/Commands
Access Privileged Data
Access: Remote/Unauthenticated
CVE Names: CVE-2006-1315 CVE-2006-1314

Original Bulletin:
http://www.microsoft.com/technet/security/Bulletin/MS06-035.mspx

Comment: This bulletin refers to two separate vulnerabilities. The more
serious of the two may allow the remote execution of arbitrary
code. The other is an information disclosure vulnerability. Note
that both of these vulnerabilities are fixed by the patch.

- - --------------------------BEGIN INCLUDED TEXT--------------------

MS06-035 Vulnerability in Server Service Could Allow Remote Code Execution
CVE-2006-1315 CVE-2006-1314

Affected Software:
- Microsoft Windows 2000 Service Pack 4
- Microsoft Windows XP Service Pack 1
- Microsoft Windows XP Service Pack 2
- Microsoft Windows XP Professional x64 Edition
- Microsoft Windows Server 2003
- Microsoft Windows Server 2003 Service Pack 1
- Microsoft Windows Server 2003 for Itanium-based Systems
- Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
- Microsoft Windows Server 2003 x64 Edition

Non-Affected Software:
- Microsoft Windows 98
- Microsoft Windows 98 Second Edition (SE)
- Microsoft Windows Millennium Edition (Me)

CVE-2006-1314 - Mailslot Heap Overflow Vulnerability
====================================================
There is a remote code execution vulnerability in the Server driver that
could allow an attacker who successfully exploited this vulnerability to
take complete control of the affected system.

Mitigating Factors
- - ------------------
Firewall best practices and standard default firewall configurations can
help protect networks from attacks that originate outside the enterprise
perimeter. Best practices recommend that systems that are connected to the
Internet have a minimal number of ports exposed.

Microsoft Windows XP Service Pack 2 and Microsoft Windows Server 2003
Service Pack 1 do not have services listening on Mailslots in default
configurations.

Attempts to exploit this vulnerability will most probably result in a
Denial of Service condition caused by an unexpected restart of the
affected system rather than Remote Code Execution.

Workarounds
- - -----------
Microsoft has tested the following workarounds. Although these workarounds
will not correct the underlying vulnerability, they help block known attack
vectors.

- Block TCP port 445 at the firewall:
This port is used to initiate a connection with the affected component.
Blocking TCP port 445 at the firewall will help protect systems that are
behind that firewall from attempts to exploit this vulnerability. We
recommend that you block all unsolicited inbound communication from the
Internet to help prevent attacks that may use other ports.

- To help protect from network-based attempts to exploit this vulnerability,
use a personal firewall, such as the Internet Connection Firewall, which
is included with Windows XP and with Windows Server 2003.

By default, the Internet Connection Firewall feature in Windows XP and in
Windows Server 2003 helps protect your Internet connection by blocking
unsolicited incoming traffic. We recommend that you block all unsolicited
incoming communication from the Internet. In Windows XP Service Pack 2
this features is called the Windows Firewall.

To enable the Internet Connection Firewall feature by using the Network
Setup Wizard, follow these steps:

1. Click Start, and then click Control Panel.

2. In the default Category View, click Network and Internet Connections,
and then click Setup or change your home or small office network. The
Internet Connection Firewall feature is enabled when you select a
configuration in the Network Setup Wizard that indicates that your
system is connected directly to the Internet.

To configure Internet Connection Firewall manually for a connection,
follow these steps:

1. Click Start, and then click Control Panel.

2. In the default Category View, click Networking and Internet
Connections, and then click Network Connections.

3. Right-click the connection on which you want to enable Internet
Connection Firewall, and then click Properties.

4. Click the Advanced tab.

5. Click to select the Protect my computer or network by limiting or
preventing access to this computer from the Internet check box, and
then click OK.

Note: If you want to enable certain programs and services to communicate
through the firewall, click Settings on the Advanced tab, and then
select the programs, the protocols, and the services that are
required.

- To help protect from network-based attempts to exploit this vulnerability,
enable advanced TCP/IP filtering on systems that support this feature.

You can enable advanced TCP/IP filtering to block all unsolicited inbound
traffic. For more information about how to configure TCP/IP filtering,
see Microsoft Knowledge Base Article 309798.

- To help protect from network-based attempts to exploit this vulnerability,
block the affected ports by using IPSec on the affected systems.

Use Internet Protocol security (IPSec) to help protect network
communications. Detailed information about IPSec and about how to apply
filters is available in Microsoft Knowledge Base Article 313190 and
Microsoft Knowledge Base Article 813878.

CVE-2006-1315 - SMB Information Disclosure Vulnerability
========================================================
There is an information disclosure vulnerability in the Server service that
could allow an attacker to view fragments of memory used to store SMB
traffic during transport.

Mitigating Factors
- - ------------------
Firewall best practices and standard default firewall configurations can
help protect networks from attacks that originate outside the enterprise
perimeter. Best practices recommend that systems that are connected to the
Internet have a minimal number of ports exposed.

For customers who require the affected component, firewall best practices
and standard default firewall configurations can help protect networks from
attacks that originate outside the enterprise perimeter. Best practices
recommend that systems that are connected to the Internet have a minimal
number of ports exposed.

On Windows 2000, Windows XP Service Pack 1, and Windows Server 2003, an
attacker must have valid logon credentials to exploit this vulnerability.
The vulnerability could not exploited by anonymous users. However, the
affected component is available remotely to users who have standard user
accounts. In certain configurations, anonymous users could authenticate as
the Guest account. For more information, see Microsoft Security Advisory
906574.

Firewall best practices and standard default firewall configurations can help
protect networks from attacks that originate outside the enterprise perimeter.
Best practices recommend that systems that are connected to the Internet have
a minimal number of ports exposed.

Workarounds
- - -----------
Microsoft has tested the following workarounds. Although these workarounds
will not correct the underlying vulnerability, they help block known attack
vectors.

Note: Other protocols such as Internetwork Packet Exchange (IPX) and
Sequenced Packet Exchange (SPX) could be vulnerable to this issue. If
vulnerable protocols such as IPX and SPX are in use, it is important to
block the appropriate ports for those protocols as well.

- Block TCP ports 139 and 445 at the firewall
These ports are used to initiate a connection with the affected protocol.
Blocking them at the firewall, both inbound and outbound, will help prevent
systems that are behind that firewall from attempts to exploit this
vulnerability. We recommend that you block all unsolicited inbound
communication from the Internet to help prevent attacks that may use other
ports.

- To help protect from network-based attempts to exploit this vulnerability,
use a personal firewall, such as the Internet Connection Firewall, which
is included with Windows XP and with Windows Server 2003.

By default, the Internet Connection Firewall feature in Windows XP and in
Windows Server 2003 helps protect your Internet connection by blocking
unsolicited incoming traffic. We recommend that you block all unsolicited
incoming communication from the Internet.

To enable the Internet Connection Firewall feature by using the Network
Setup Wizard, follow these steps:

1. Click Start, and then click Control Panel.

2. In the default Category View, click Network and Internet Connections,
and then click Setup or change your home or small office network. The
Internet Connection Firewall feature is enabled when you select a
configuration in the Network Setup Wizard that indicates that your
system is connected directly to the Internet.

To configure Internet Connection Firewall manually for a connection,
follow these steps:

1. Click Start, and then click Control Panel.

2. In the default Category View, click Networking and Internet
Connections, and then click Network Connections.

3. Right-click the connection on which you want to enable Internet
Connection Firewall, and then click Properties.

4. Click the Advanced tab.

5. Click to select the Protect my computer or network by limiting or
preventing access to this computer from the Internet check box, and
then click OK.

Note: If you want to enable certain programs and services to communicate
through the firewall, click Settings on the Advanced tab, and then
select the programs, the protocols, and the services that are
required.

- To help protect from network-based attempts to exploit this vulnerability,
enable advanced TCP/IP filtering on systems that support this feature.

You can enable advanced TCP/IP filtering to block all unsolicited inbound
traffic. For more information about how to configure TCP/IP filtering,
see Microsoft Knowledge Base Article 309798.

- To help protect from network-based attempts to exploit this vulnerability,
block the affected ports by using IPSec on the affected systems.

Use Internet Protocol security (IPSec) to help protect network
communications. Detailed information about IPSec and about how to apply
filters is available in Microsoft Knowledge Base Article 313190 and
Microsoft Knowledge Base Article 813878.

- - --------------------------END INCLUDED TEXT--------------------


iQCVAwUBRLRynCh9+71yA2DNAQIEsQP8DXaOV6IahKciPBYUQo/OdcVzFmanoHd7
wuQBUmdXkA9CBzcYWZFrvK+77vWAIyM+u2k2z644n2OK9F0XkRVAZ4lJjCpd40vy
roT5DAy3IwWTBGifPITqnQWiaaqt0FZi7+2YhZ2CDL2AglJNjl+2qHxp59yftDSj
7ysY4d/BfuM=
=NJ70
- -----END PGP SIGNATURE-----



2.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================

MS06-033 Vulnerability in ASP.NET Could Allow Information Disclosure
12 July 2006

===========================================================================



Product: .NET Framework 2.0
Publisher: Microsoft
Operating System: Windows Server 2003 x64 Edition
Windows Server Itanium SP1
Windows Server 2003 Itanium
Windows Server 2003 SP 1
Windows Server 2003
Windows XP Media Center Edition
Windows XP Tablet PC Edition
Windows XP Professional x64 Edition
Windows XP SP 2
Windows XP SP 1
Windows 2000 SP 4
Impact: Access Privileged Data
Access: Remote/Unauthenticated
CVE Names: CVE-2006-1300

Original Bulletin:
http://www.microsoft.com/technet/security/Bulletin/MS06-033.mspx

- - --------------------------BEGIN INCLUDED TEXT--------------------

MS06-033 Vulnerability in ASP.NET Could Allow Information Disclosure
CVE-2006-1300

Affected Software:
- .NET Framework 2.0 for the following operating system versions:
- Microsoft Windows 2000 Service Pack 4
- Microsoft Windows XP Service Pack 1
- Microsoft Windows XP Service Pack 2
- Microsoft Windows XP Professional x64 Edition
- Microsoft Windows XP Tablet PC Edition
- Microsoft Windows XP Media Center Edition
- Microsoft Windows Server 2003
- Microsoft Windows Server 2003 Service Pack 1
- Microsoft Windows Server 2003 for Itanium-based systems
- Microsoft Windows Server with SP1 for Itanium-based Systems
- Microsoft Windows Server 2003 x64 Edition

Non-Affected Software:
- Microsoft .NET Framework 1.0
- Microsoft .NET Framework 1.1
- Microsoft Windows 98
- Microsoft Windows 98 Second Edition (SE)
- Microsoft Windows Millennium Edition (Me)

Affected Components:
- ASP.NET

This Information Disclosure vulnerability could allow an attacker to bypass
ASP.Net security and gain unauthorized access to objects in the Application
folders explicitly by name. Note that this vulnerability would not allow an
attacker to execute code or to elevate their user rights directly, but it
could be used to produce useful information that could be used to try to
further compromise the affected system.

Mitigating Factors
- - ------------------
Directory browsing is not enabled by default on Application folder
directories. An attacker would have to guess or know the names of the files
they are attempting to retrieve or view.

By default, file extensions that are used by Visual Studio and ASP.NET web
projects are mapped to the aspnet_isapi.dll System.Web.HttpForbiddenHandler
and as a result, files with these extensions cannot be retrieved or viewed
remotely using this vulnerability.

Here's the full list of file extensions that are protected (and not
vulnerable): *.asax, *.ascx, *.master, *.skin, *.browser, *.sitemap,
*.config (but not *.exe.config or *.dll.config), *.cs,
*.csproj, *.vb, *.vbproj, *.webinfo, *.licx, *.resx,
*.resources, *.mdb, *.vjsproj, *.java, *.dd, *.jsl, *.ldb,
*.ad, *.ldd, *.sd, *.cd, *.adprototype, *.lddprototype,
*.sdm, *.sdmDocument, *.mdf, *.ldf, *.exclude, *.refresh

IIS 6.0 will not send any file types that do not have a MIME mapping defined
for the IIS 6.0. IIS 6.0 only stores the allowed MIME mappings in the
metabase.

For example if a custom file type with a .data file extension is located in
the app_data folder on an IIS6 server, but there is no MIME association for
.data files defined in IIS or the Windows Registry on that server, Internet
Information Services (IIS) will not serve this type of file and will return
a 404 error (regardless of what folder / directory the file resides in).

Customers using URLScan who have followed the guidance in Knowledge Base
Article 815155 for hardening ASP.NET web applications are at less risk from
this vulnerability.

Workarounds
- - -----------
Microsoft has tested the following workarounds. While these workarounds will
not correct the underlying vulnerability, they will help to block known
attack vectors.

- Remove Read permission from all ASP.NET 2.0 Application folders.
Removal of the Read permissions for Web content helps protect the
affected system from attempts to exploit this vulnerability.

To set permissions for Web content on Windows 2000 running IIS5.0 using
the Microsoft Management Console (MMC):

1. Click Start, then click Run and then type:
%systemroot%\system32\inetsrv\iis.msc

2. When the Internet Information Services MMC snap-in loads, in the left
pane, click the plus (+) sign next to the computer name to expand the
list of web sites hosted on that server.

3. Expand the first web site by clicking the plus (+) sign next to it.

4. For each ASP.NET 2.0 Application Folder, right click on the folder and
select Properties

5. On the Directory or Virtual Directory tab clear the checkbox next to
Read and press OK

6. Repeat step 3 for each web site and application hosted on the server.

To set permissions for Web content on Windows 2003 with IIS 6.0 using the
Microsoft Management Console (MMC):

1. Click Start, click Run and then type:
%systemroot%\system32\inetsrv\iis.msc

2. When the Internet Information Services MMC snap-in is finished loading,
in the left pane, click the plus (+) sign next to the computer name

3. Click the plus (+) sign next to the Web sites folder to expand the
list of web sites hosted on that server.

4. Expand the first web site by clicking the plus (+) sign next to it.

5. For each ASP.NET 2.0 Application Folder, right click on the folder
and select Properties

6. On the Directory or Virtual Directory tab clear the checkbox next to
Read and press OK

7. Repeat step 4 for each web site and application hosted on the server.

Impact of Workaround: Denying read access on the virtual directory would
block reflection and therefore inhibits remote
debugging.

- Use URLScan with the DenyUrlSequences setting to disallow URLs that
request protected file extensions.

1. If URLScan is already installed, make a backup copy of the URLScan.ini
before continuing to the next step.

2. Configure the URLScan.ini (located in the
%windir%\system32\inetsrv\urlscan folder by default) with the following
settings:

3. In the [Options] section, ensure that NormalizeUrlBeforeScan is set to 1

4. In the [Options] section, ensure that VerifyNormalization is set to 1

5.In the [DenyUrlSequences] section, ensure that the backslash \ character
is listed

6. Re-start IIS for the changes to take effect.

Note: The above settings are enabled by default in versions of URLScan
installed by the IIS Lockdown wizard and for all stand-alone
installations of URLScan 2.5.

Note: For additional information on configuring URLScan to work with
ASP.NET applications refer to Knowledge Base Article 815155.

Impact of Workaround: Improper configuration of URLScan could prevent some
web applications from functioning properly.

- Use file extensions for files in the App_* folders that are not mapped to
ASP.NET and that have no MIME type mapping that IIS can use.

If a static file extension has no MIME type mapping Internet Information
Services 6.0 (IIS) will not serve it.

Impact of Workaround: None

- - --------------------------END INCLUDED TEXT--------------------


iQCVAwUBRLSPKCh9+71yA2DNAQI4lAP9Fq+thidcevW3df6H5Dd1efWrHqid1l99
GETC2q7gbQxvW+qy87DIMZO3QnwtFSGbQfMhglXTyWW2YMfwJi4Q9U1TS7zEvCos
5O+6Mz9p3O97e5Onj7cPH1yjrvi1X1KJe0chLzUAB+SCZxGJB7uq1pQZ2wZBu32p
/wYRkJtHAeE=
=+nBK
- -----END PGP SIGNATURE-----

  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |