Partilhar via


Microsoft Security Bulletin MS08-065 - MSMQ 2.0 vulnerability

This bulletin came out yesterday and only applies to Windows 2000.

If you are still running systems using MSMQ 2.0 then please download and deploy the hotfix at your earliest convenience.

This KB discusses the hotfix (build 5.0.0.807):

951071 MS08-065: Vulnerability in Message Queuing could allow remote code execution

The bulletin can be found in more detail here:

Microsoft Security Bulletin MS08-065 – Important
Vulnerability in Message Queuing Could Allow Remote Code Execution (951071)

but here's the important parts for you:

FAQ for Message Queuing Service Remote Code Execution Vulnerability - CVE-2008-3479

What is the scope of the vulnerability?  
This is a remote code execution vulnerability for Microsoft Windows 2000 systems with the MSMQ service enabled. An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely. An attacker could then install programs or view, change, or delete data.

What causes the vulnerability?  
The MSMQ service does not correctly parse specifically crafted RPC requests.

What is Message Queuing?  
Microsoft Message Queuing technology enables applications that are running at different times to communicate across heterogeneous networks and across systems that may be temporarily offline. Applications send messages to queues and read messages from queues. Message Queuing provides guaranteed message delivery, efficient routing, security, and priority-based messaging. It can be used to implement solutions for both asynchronous and synchronous messaging scenarios. For more information about Message Queuing, see the Message Queuing product documentation.

What is RPC?  
Microsoft RPC is a model for programming in a distributed computing environment. The goal of RPC is to provide transparent communication so that the client appears to be directly communicating with the server. Microsoft's implementation of RPC is compatible with the Open Software Foundation (OSF) Distributed Computing Environment (DCE) RPC. For more information about RPC, see the RPC MSDN site.

What might an attacker use the vulnerability to do?  
An unauthenticated attacker could cause arbitrary code to run remotely in the context of SYSTEM by sending a specially crafted RPC request to the MSMQ service. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

How could an attacker exploit the vulnerability?  
An attacker could exploit this vulnerability by sending a specially crafted RPC request to the MSMQ service. A heap request can be controlled and later overflowed during an unchecked string copy operation. Successful exploitation of this vulnerability could lead to full access of the affected system under the SYSTEM context.

What systems are primarily at risk from the vulnerability?  
Microsoft Windows 2000 systems with the MSMQ service enabled are the systems that are at risk.

What does the update do?  
The update removes the vulnerability by modifying the way that the MSMQ service validates parameters to the string APIs invoked by MSMQ.

When this security bulletin was issued, had this vulnerability been publicly disclosed?  
No. Microsoft received information about this vulnerability through responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?  
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.