CRITICAL: Moderately critical IMPACT: System access WHERE: From local network OS: Microsoft Windows 2000 Advanced Server, Microsoft Windows 2000 Datacenter Server, Microsoft Windows 2000 Server, Microsoft Windows NT 4.0 Server, Microsoft Windows NT 4.0 Server, Terminal Server Edition, Microsoft Windows Server 2003 Datacenter Edition, Microsoft Windows Server 2003 Enterprise Edition, Microsoft Windows Server 2003 Standard Edition, Microsoft Windows Server 2003 Web Edition

Nicolas Waisman has reported a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an error within WINS (Windows Internet Name Service) during the handling of replication packets. This can be exploited to write 16 bytes to an arbitrary memory location by sending a specially crafted WINS replication packet to a vulnerable server.

Successful exploitation allows execution of arbitrary code.

The vulnerability has been reported in Windows 2000 SP2 through SP4. However, other versions are reportedly also believed to be affected.

Solution:
Restrict traffic to the WINS replication service (ports 42/tcp and 42/udp).

Use IPSec to secure traffic between WINS servers.

Disable WINS.

Provided and/or discovered by:
Nicolas Waisman, Immunity.

Original Advisory:
http://www.immunitysec.com/downloads/instantanea.pdf