A list of Top 20 vulnerabilities has been released by SANS. The folowing articles is MY TAKE on these vulnerabilities. I have started by looking at the Windows services.

Windows services serve as the easiest exploits in the OS. The Windows Service Control Manager (SCM), runs as services.exe. More than any other vulnerability the main exploit here is “Buffer Run Overflow”.

What is Buffer Run Overflow?

In computer security and programming, a buffer overflow, or buffer overrun, is an anomalous condition where a process attempts to store more data in a buffer than there is memory allocated for it. The result is that the extra data overwrites adjacent memory locations. The overwritten data may include other buffers, variables and program flow data.

Soure:Wkipedia

Windows Services are exposed to the Internet via interfaces like:

RPC (Remote Procedure Call)

Remote procedure call (RPC) is a protocol that allows a computer program running on one computer to cause a subroutine on another computer to be executed without the programmer explicitly coding the details for this interaction.

CIFS (Common Internet File System)

CIFS is nothing but SMB (Server Message Block). IBM, originally invented SMB for turning DOS "Interrupt 33" local file access into a networked file system, but the most common version is modified heavily by Microsoft.

They are exposed through well known TCP and UDP ports.

Understanding why a service is vulnerable is important. Stopping a service or simply terminating services, blocking ports does NOT help.

SUMMARY OF VULNERAVLE SERVICES

Windows Service Control Manager (SCM).

This is the heart of all the Windows services. All services are dependant on this. Any vulnerability in this process causes the vulnerability to be passes on the child processes.

services.exe is a part of the Microsoft Windows Operating System and manages the operation of starting and stopping services. This process also deals with the automatic starting of services during the computers boot-up and the stopping of services during shut-down. This program is important for the stable and secure running of your computer and should not be terminated.

Note: services.exe is also a process, which is registered as the W32.Randex.R (stored in %systemroot%\system32\ directory) and Sober.P (stored in %systemroot%\Connection Wizard\Status\ directory) and Sober.S/V (Executed from the %Windir%\ConnectionStatus\Microsoft\services.exe directory) Trojans. These Trojans allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.

MSDTC and COM+ Service

msdtc.exe is the Microsoft Distributed Transaction Coordinator. This process is loaded into the system, by Microsoft Personal Web Server and Microsoft SQL Server. The service is used to manage transactions across multiple servers. Hence all Database vulnerabilities apply to this service.

Print Spooler Service

spoolsv.exe is a Microsoft Windows system executable which handles the printing process to your local printers. This program is important for the stable and secure running of your computer and should not be terminated.

Note: spoolsv.exe is also a process, which is registered as the Backdoor.Ciadoor.B Trojan or the Iambigbrother spyware. The Ciadoor Trojan allows attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.

Source:UniBlue

Plug and Play Service

Umpnpmgr.dll also executes a server in the background, to enable Plug and play device compatibility. This service accepts incoming RPC requests for device operation. This must be patched on a high priority basis.

Available Patches: (MS05-047, MS05-039)

Server Message Block Service

Server Message Block (SMB), and its follow-on, Common Internet File System (CIFS), is the Internet Standard protocol that Windows uses to share files, printers, serial ports, and also to communicate between computers. To do this, SMB uses named pipes and mail slots. In a networked environment, servers make file systems and resources available to clients. Clients make SMB requests for resources. Servers make SMB responses. This is described as a client server, request-response protocol.

Note: This has remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Exchange SMTP Service

Exchange Server 2003 will not process commands of this type that originate from unauthenticated users. The level of authentication required to exploit this vulnerability is typically only granted to other Exchange Servers within the same organization.

An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Heap-based buffer overflow in the SvrAppendReceivedChunk function in xlsasink.dll in the SMTP service of Exchange Server 2000 and 2003 allows remote attackers to execute arbitrary code via a crafted X-LINK2STATE extended verb request to the SMTP port.

Source:CVE

Message Queuing Service

Message Queuing is a middleware component of the Windows operating system. In a nutshell, middleware is for applications what mail is for humans. Your application can use Message Queuing to send messages to another application even if the recipient application is not running or the computer on which the sender or recipient application is running is disconnected from the network. Messages are stored and forwarded by Message Queuing until they reach the destination queue. Later, when a recipient application runs, it can retrieve the messages from the queue.

Remote code execution vulnerability exists in the Message Queuing component. By default, the Message Queuing component is not installed on any affected operating system version. Only customers who manually installed the Message Queuing component could be vulnerable to this issue.

An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Buffer overflow in the Message Queuing component of Microsoft Windows 2000 and Windows XP SP1 allows remote attackers to execute arbitrary code via a crafted message.

Source: CVE

Available Patches: (MS05-017)

License Logging Service

llssrv.exe on Microsoft Windows Server suites is a license logging service. It is no more in use but must NOT be removed or deleted. The server will restart every 60 minutes.

Quote from Microsoft:

“License Logging Service (LLS) is a tool that was originally designed to help customers manage licenses for Microsoft server products that are licensed in the Server Client Access License (CAL) model. LLS was introduced with Windows NT Server 3.51. By default, LLS is disabled in Windows Server 2003. Because of original design constraints and evolving license terms and conditions, LLS cannot provide an accurate view of the total number of CALs that are purchased as compared to the total number of CALs that are used on a single server or across the enterprise. The CALs that are reported by LLS may conflict with the interpretation of the End User License Agreement (EULA) and with Product Usage Rights (PUR). LLS will not be included in future versions of the Windows operating system. WINS Service.

Source:Microsoft

WINS Service

wins.exe is the predecessor to the current DNS service. WINS offers computer name resolution services for your LAN and should not be terminated if in use.

What causes the vulnerability?

An unchecked buffer in the method that WINS uses to validate the Name value in a specially-crafted packet. The possibility of a denial of service on Windows Server 2003 results from the presence of a security feature that was used in the development of Windows Server 2003. This security feature detects when an attempt is made to exploit a stack-based buffer overrun and reduces the chance that it can be easily exploited. This security feature can be forced to terminate the service to prevent malicious code execution. On Windows Server 2003, when an attempt is made to exploit the buffer overrun, the security feature reacts and terminates the service. This results in a denial of service condition of WINS. Because it is possible that methods may be found in the future to bypass this security feature, which could then enable code execution, customers should apply the update.

Source:Microsoft

Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

NNTP Service

The NNTP component provides a service that enables the distribution, retrieval, and posting of news articles among the Internet community. NNTP is designed so that news articles are stored in a central database allowing a subscriber to select only those items that they want to read.

The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows.

Source: CVE

How could an attacker exploit the vulnerability?

An attacker could exploit the vulnerability by creating a specially crafted message and sending the message to an affected system, which could then cause the affected system to execute code. An attacker could also access the affected component through another vector. For example, an attacker could log on to the system interactively or by using another program that passes parameters to the vulnerable component (locally or remotely).

Available Patches: (MS04-031)

NetDDE Service

netdde.exe is the Network Dynamic Data Exchange server for Microsoft Windows. It is used to facilitate the exchange of data over a network. This program is a non-essential system process, but should not be terminated unless suspected to be causing problems.

Task Scheduler

mstask.exe is the Windows Task Scheduler process. It manages the scheduling of tasks, such as backups or updates, to run specific times. If you remove this process the scheduler will be disabled and your schedules tasks will not run. Hence, this process has to be patched as it can NOT be simply terminated.

Available Patches: (MS04-022)

They all result in “Remote Code Execution”.

Next : I wish to look at how to fix the holes in Windows Services. More than just deploying tools and scanners understand the problems and come out with a solution.