NNTP Service in Windows NT 4.0 and Windows 2000 Contains Memory Leak
Microsoft has published details of a recently discovered vulnerability. According to the company "the NNTP (Network News Transport Protocol) service in Windows NT 4.0 and Windows 2000 contains a memory leak in a routine that processes news postings.
Each time such a posting is processed that contains a particular construction, the memory leak causes a small amount of memory to no longer be available for use. If an attacker sent a large number of posts, the server memory could be depleted to the point at which normal service would be disrupted thereby causing a Denial of Service and locking up the computer so that it no longer can respond to users....
NNTP Service in Windows NT 4.0 and Windows 2000 Contains Memory Leak
Originally posted: August 14, 2001
Summary
Who should read this bulletin: System administrators offering newsgroup services
via Microsoft® Windows NT® 4.0 or Windows® 2000.Impact of vulnerability: Denial of service.
Recommendation: System administrators should apply the patch immediately to
affected systems.Affected Software:
- Microsoft Windows NT 4.0
- Microsoft Windows 2000
Technical description:
The NNTP (Network News Transport Protocol) service in Windows NT 4.0 and Windows 2000
contains a memory leak in a routine that processes news postings. Each time such a posting
is processed that contains a particular construction, the memory leak causes a small
amount of memory to no longer be available for use. If an attacker sent a large number of
posts, the server memory could be depleted to the point at which normal service would be
disrupted. An affected server could be restored to normal service by rebooting.Mitigating factors:
- Windows NT 4.0 does not contain a native NNTP service. NNTP is only available on the
system if the Windows NT 4.0 Option Pack has been installed.- The default configuration of NNTP is not affected by the vulnerability, as no newsgroups
are configured by default.- The vulnerability would not enable an attacker to usurp any administrative control or
compromise data on the machine.Vulnerability identifier: CAN-2001-0543
Tested Versions:
Microsoft tested Windows NT 4.0 and Windows 2000 to assess whether they are affected by
these vulnerabilities. Previous versions are no longer supported, and may or
may not be affected by these vulnerabilities.
What’s the scope of this vulnerability?
This is a denial of
service vulnerability. By repeatedly sending a news posting to an affected server, an
attacker could degrade its performance, potentially to the point where the server would be
unable to provide useful service.The vulnerability would not enable an attacker to compromise any data on the server, or to
usurp any privileges on the machine. The administrator of an affected Windows NT 4.0
machine could restore normal service by rebooting the machine; a Windows 2000 machine
would automatically restore service.What causes the vulnerability?
The vulnerability results because the NNTP service in Windows NT 4.0 and Windows 2000
contains a memory leak. If a sufficient quantity of posting containing a particular
malformation were received, it could deplete the available memory to the point where the
server would be incapable of performing useful work.What’s NNTP?
NNTP
(Network News
Transfer Protocol) is an industry-standard protocol that specifies a method for posting,
distributing, searching and archiving news articles via Internet-based servers. The
vulnerability results because the NNTP implementation
in Windows NT 4.0 and Windows 2000 contains a memory leak that could be used to disrupt
the NNTP service.What’s a memory leak?
A memory leak is an implementation error that depletes the available memory on a
system. As a process on a computer runs, it may need more or less memory, depending on
exactly what it is doing from one minute to the next. When the process needs more memory,
it requests it from the operating system; when it no longer needs the additional memory,
it should return it to the operating system so it can be allocated to other processes.A memory leak occurs when a process doesn't correctly return memory to the operating
system. Instead of becoming available for allocation to another process, the memory
remains assigned to the process even though the process is no longer using it. This
effectively makes the block of memory unavailable.How does the memory leak happen in this case?
In the case of this vulnerability, the NNTP service has a memory leak that results when
it processes a particular type of malformed news posting. Each time the service accepts
such a posting, it requests memory from the operating system; however, it doesn’t
return the memory when it finishes handling the request.What could an attacker do via this vulnerability?
An attacker could repeatedly send malformed news postings to an affected server in
order to deplete its pool of available memory. As the server's memory pool was depleted,
its performance would gradually slow. If the attack were sustained for a long enough
period, the server could potentially be brought to a standstill and be unable to perform
useful work.Does the NNTP service run by default?
The answer varies by operating system.
- Default installations of Windows NT 4.0 don’t contain an NNTP service. NNTP support
is included as part the Windows NT 4.0 Option Pack. If the Option Pack has been installed,
NNTP runs by default.- In Windows 2000 server products, NNTP is a native service, and it does run by default.
In Windows 2000 Professional, NNTP is neither installed nor running by default.However, this isn’t the complete answer. It’s not enough for the NNTP service
to be installed and running – it also has to be configured to accept postings. By
default, the NNTP service doesn’t have any newsgroups configured, so it doesn’t
accept any postings and hence isn’t affected by the vulnerability. It’s only if
the service is running and configured to accept postings that it’s vulnerable.Would a successful attack via this vulnerability only disrupt NNTP services, or
would other services on the system be affected as well?Because the vulnerability depletes the memory pool that all services on the machine
use, a successful attack via the vulnerability would affect the operation of all services
on the machine, not just the terminal services. So, for instance, if the machine also
hosted shared files, users might be unable to access them after the machine had been
attacked.Would this vulnerability enable the attacker to gain any privileges on the machine?
No. The sole effect of a successful attack via this vulnerability would be to prevent
the server from operating normally. It wouldn’t grant any privileges to the attacker,
nor would it allow any data to be compromised.How could an affected server be put back into service?
The server could be returned to normal service by rebooting it.
Could this vulnerability be exploited from the Internet?
The vulnerability could be exploited by any user who could send postings to it. If the
server accepts postings from the Internet, an Internet user could exploit the
vulnerability.I run an NNTP server, but it’s a “push” server that doesn’t
allow users to post to it. Is my server at risk?No. If your server doesn’t accept postings, an attacker couldn’t cause the
memory leak to happen.I use Windows NT 4.0 Server, Terminal Server Edition. Could I be affected by this
vulnerability?No. The vehicle by which the NNTP service ships, the Windows NT 4.0 Option Pack, cannot
be installed on terminal servers.I visit news servers frequently from my home computer. Does this vulnerability
affect me?No. It only affects servers that offer NNTP services; it doesn’t affect the client
machines that visit them.What does the patch do?
The patch eliminates the vulnerability by causing the NNTP service in Windows NT 4.0
and Windows 2000 to properly deallocate memory after processing a news posting.
Patch availability
Download locations for this patch
- Windows NT 4.0 Server and Server, Enterprise Edition:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31955- Windows 2000 Server and Advanced Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31925- Microsoft Windows 2000 Datacenter Server:
Patches for Windows 2000 Datacenter Server are hardware-specific and available from the
original equipment manufacturer.
about this patch
Installation platforms:
- The Windows NT 4.0 patch can be installed on systems running Windows NT 4.0 Service
Pack 6a.- The Windows 2000 patch can be installed on systems running Windows 2000 Service
Pack 1 or Service
Pack 2.Inclusion in future service packs:
The fix for the Windows 2000 issue will be included in Windows 2000 Service Pack 3.Reboot needed: Yes
Superseded patches: None.
Verifying patch installation:
Microsoft Windows NT 4.0:
- To verify that the Security Roll-up Package has been installed on the machine, confirm
that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionHotfixQ303984.- To verify the individual files, consult the file manifest in Knowledge Base article
Q303984.Microsoft Windows 2000:
- To verify that the patch has been installed on the machine, confirm that the following
registry key has been created on the machine:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftUpdatesWindows 2000SP3Q303984.- To verify the individual files, use the date/time and version information provided in
the following registry key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftUpdatesWindows 2000SP3Q303984FilelistCaveats:
NoneLocalization:
Localized versions of this patch are available at the locations discussed in
"Obtaining other security patches".Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Security patches are available from the Microsoft
Download Center, and can be most easily found by doing a keyword search for
"security_patch".- Patches for consumer platforms are available from the WindowsUpdate web site
- All patches available via WindowsUpdate
also are available in a redistributable form from the WindowsUpdate Corporate site.
Other information:
Acknowledgments
Microsoft thanks
Aiden ORawe for reporting this issue to us and working with us to protect
customers.Support:
- Microsoft Knowledge Base article Q303984 discusses this issue and will be available
approximately 24 hours after the release of this bulletin. Knowledge Base articles can be
found on the Microsoft
Online Support web site.- Technical support is available from Microsoft
Product Support Services. There is no charge for support calls associated with
security patches.Security Resources: The Microsoft TechNet Security
Web Site provides additional information about security in Microsoft products.Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is"
without warranty of any kind. Microsoft disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a particular purpose.
In no event shall Microsoft Corporation or its suppliers be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss of business profits
or special damages, even if Microsoft Corporation or its suppliers have been advised of
the possibility of such damages. Some states do not allow the exclusion or limitation of
liability for consequential or incidental damages so the foregoing limitation may not
apply.Revisions:
- V1.0 (August 14, 2001): Bulletin Created.
