<<< Date Index >>>     <<< Thread Index >>>

Some details about MS05-007 security bulletin



Hello,

I'd like to provide some details about the vulnerability fixed by the MS05-007
security bulletin:

        http://www.microsoft.com/technet/security/bulletin/ms05-007.mspx

Microsoft security bulletin is in some ways misleading and I've seen that 
the following CERT vulnerability note:

        http://www.kb.cert.org/vuls/id/939074

incorrectly describes the vulnerability as related to the Computer Browser
Windows service.

The File information section of the MS05-007 security bulletin shows that
srvsvc.dll is the only updated file. srvsvc.dll implements the lanmanserver
service (Server service, userland part of server-side Windows SMB/CIFS
implementation).

If the vulnerability had been in the Computer Browser service itself, the
updated file would have been browser.dll.

The updated version of srvsvc.dll adds some additional restrictions to at least
one operation of the srvsvc MSRPC interface. 

A complete list of operations of the srvsvc interface can be found at:

        http://www.hsc.fr/ressources/articles/win_net_srv/ch04s07s07.html

Because it is typically possible to bind anonymously to RPC services such as
srvsvc or wkssvc (RPC service of the workstation service), restrictions are
defined for each operation:

        http://www.hsc.fr/ressources/articles/win_net_srv/ch04s06s11.html

These restrictions are particularly important for anonymous accesses, that are
possible using SMB NULL sessions to the IPC$ share.

It was recently discovered that even in Windows XP SP2, it is still possible to
gather some information anonymously, using specific operations of the srvsvc or
wkssvc MSRPC interfaces:

        http://www.securityfriday.com/Topics/winxp2.html

Specifically, using the NetrSessionEnum operation (srvsvc interface), it is
possible to anonymously enumerate users who have established an SMB session on a
remote server.

The MS05-007 patch forbids the NetrSessionEnum operation in the context of a
NULL session.

Thus, it only fixes a very specific problem and can not be considered as the
correct way to fix this kind of vulnerability.


Before Windows XP SP2 (i.e., Windows XP SP1), you need to apply the MS05-007
patch if you want to prevent this vulnerability. 

On Windows XP SP2, the easiest way to fix the vulnerability without applying the
patch is to remove the "browser" string from the NullSessionPipes registry
value:

        http://www.hsc.fr/ressources/articles/win_net_srv/ch04s06s06.html

Disabling the Computer Browser service is another method to prevent the 
vulnerability but this workaround only works for Windows XP SP2.

Jean-Baptiste Marchand
-- 
Jean-Baptiste.Marchand@xxxxxx
HSC - http://www.hsc.fr/