Vulnerability in Windows Media Services
Par Fabien PERIGAUD, jeudi 15 avril 2010 à 14:51 :: General :: #371 :: rss
This month, Microsoft has fixed a vulnerability that we reported last summer, about a stack-based buffer overflow in the "Windows Media Unicast" service of Windows Media Services on Windows 2000 
(Ref. Lexsi 13242).
Although vulnerability research is not part of our activities, we discovered it during a fuzzing session as a result of a response incident case with a client whose critical data had been stolen. Searching for the attackers had then led us to many compromised servers. These servers had the following similarities:
- Windows 2000 or 2003 operating system
- Windows Media Services service enabled
These indications suggested us that a 0-day vulnerability affecting the Windows Media Services might have been used to compromise the servers. This hypothesis has subsequently been reinforced when we discovered that scans to TCP port 1755 were carried out by the attackers.
Once our mission was completed, we started a simplistic fuzzer to TCP port 1755 of a Windows Server 2000 test host. This test was successful, since the service crashed a few tens of minutes later. The corresponding vulnerability was quickly identified, and a functional exploit code was written (which seems to have taken no more than a few hours (minutes?) to Immunity after the publication of the editor's advisory).
Our contacts with Microsoft learned us that this vulnerability only affected Windows 2000. So it is certainly not what our attackers potentially used to compromise the servers ...
On the patch day in its entirety, it is rather heavy with no less than 25 fixed vulnerabilities in 11 bulletins. Among these, some deserve a little attention:
- MS10-020: five vulnerabilities in the Windows SMB client, four of which were identified by Laurent Gaffié, as he promised during his latest discovery. Unlike its server side component, the SMB client side had apparently not received extensive investigations to date! (Ref. Lexsi 13243)
- MS10-021: eight vulnerabilities in the Windows kernel, five of which were identified by Hispasec in an obscure feature (term used by Microsoft) Windows registry: symbolic links (Ref. Lexsi 13251).
A patch-day never looks like the previous one ! 