MS03-024: Buffer overrun in Windows could lead to data corruption

Article translations Article translations
Article ID: 817606 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

Server Message Block (SMB) is the Internet standard protocol that Windows uses to share files, printers, and serial ports. Windows also uses it to communicate between computers that are using named pipes and mail slots. In a networked environment, servers make file systems and resources available to clients. Clients make SMB requests for resources, and servers make SMB responses in what is described as a client server request-response protocol.

A flaw exists in the way that the server validates the parameters of an SMB packet. When a client computer sends an SMB packet to the server, it includes specific parameters that provide the server with a set of "instructions." In this case, the server does not correctly validate the buffer length that is established by the packet. If the client specifies a buffer length that is less than what is required, it can cause the buffer to be overrun.

If attackers send a specially crafted SMB packet request, they could cause a buffer overrun to occur. If this flaw is exploited, it could lead to data corruption, system failure, or in the worst case, it could allow attackers to run the code of their choice. The attackers would have to have a valid user account and they would have to be authenticated by the server to exploit this flaw.

Mitigating factors

  • Microsoft Windows Server 2003 is not affected by this vulnerability.
  • By default, it is not possible to exploit this flaw anonymously. The attacker would have to be authenticated by the server before they try to send a SMB packet to it.
  • If you block port 139/445 at the firewall, you can help prevent the possibility of an attack from the Internet.

RESOLUTION

Windows XP service pack information

To resolve this problem, obtain the latest service pack for Microsoft Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
322389 How to obtain the latest Windows XP service pack

Security patch information

For more information about how to resolve this vulnerability, click the appropriate link below:

Windows XP (all versions)

Download information
The following files are available for download from the Microsoft Download Center:

Windows XP (all 32-Bit versions)

Collapse this imageExpand this image
Download
Download the 817606 package now.

Windows XP 64-Bit Edition Version 2002

Collapse this imageExpand this image
Download
Download the 817606 package now. Release Date: July 9, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Prerequisites
This patch requires the released version of Windows XP or Windows XP Service Pack 1 (SP1).

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
322389 How to obtain the latest Windows XP service pack
Installation information
This patch supports the following Setup switches:
  • /? : Display the list of installation switches.
  • /u : Use Unattended mode.
  • /f : Force other programs to quit when the computer shuts down.
  • /n : Do not back up files for removal.
  • /o : Overwrite OEM files without prompting.
  • /z : Do not restart when the installation is complete.
  • /q : Use Quiet mode (no user interaction).
  • /l : List installed patches.
  • /x : Extract the files without running Setup.
To verify that the patch is installed on your computer, confirm that the following registry key exists.

Windows XP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB817606
Windows XP with Service Pack 1 (SP1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB817606
Deployment information
To install the patch without any user intervention and without forcing the computer to restart, use the /u, /q, and /z command line switches. For example, to install the Windows XP (all 32-bit versions) of the patch without any user intervention and without forcing the computer to restart, use the following command line:
817606_wxp_sp2_x86_enu /u /q /zFor information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/wsus/bb466201.aspx
Restart requirement
You must restart your computer after you apply this patch.
Removal information
To remove this patch, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallkbNumber$\Spuninst folder, and it supports the following Setup switches:
  • /? : Display the list of installation switches.
  • /u : Use unattended mode.
  • /f : Force other programs to quit when the computer shuts down.
  • /z : Do not restart when the installation is complete.
  • /q : Use Quiet mode (no user interaction).
Patch replacement information
This patch does not replace any other patches.
File information
The English version of this patch has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date         Time   Version        Size       Path and File name
   ---------------------------------------------------------------------------------------
   28-Mar-2003  19:02  5.1.2600.112     322,304  %Windir%\System32\Drivers\Srv.sys  pre-SP1   i386
   28-Mar-2003  15:54  5.1.2600.1193    322,048  %Windir%\System32\Drivers\Srv.sys  with SP1  i386

   28-Mar-2003  19:03  5.1.2600.112   1,142,016  %Windir%\System32\Drivers\Srv.sys  pre-SP1   ia64
   28-Mar-2003  15:55  5.1.2600.1193  1,140,480  %Windir%\System32\Drivers\Srv.sys  with SP1  ia64
You can also verify the files that this patch installed by reviewing the following registry keys.

Windows XP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB817606\Filelist
Windows XP with Service Pack 1 (SP1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB817606\Filelist

Windows 2000

Service pack information
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack
Download information
The following file is available for download from the Microsoft Download Center:

Collapse this imageExpand this image
Download
Download the 817606 package now. Release Date: July 9, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Note Customers who are running Windows 2000 Service Pack 2 should contact Microsoft Product Support Services to obtain this additional security update.
Prerequisites
This patch requires Windows 2000 Service Pack 3 (SP3).

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack
Installation information
This patch supports the following Setup switches:
  • /? : Display the list of installation switches.
  • /u : Use Unattended mode.
  • /f : Force other programs to quit when the computer shuts down.
  • /n : Do not back up files for removal.
  • /o : Overwrite OEM files without prompting.
  • /z : Do not restart when the installation is complete.
  • /q : Use Quiet mode (no user interaction).
  • /l : List installed patches.
  • /x : Extract the files without running Setup.
To verify the patch is installed on your computer, confirm that the following registry key exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\KB817606
Deployment information
To install the patch without any user intervention, use the following command line:
windows2000-kb817606-x86-enu /u /q
To install the patch without forcing the computer to restart, use the following command line:
windows2000-kb817606-x86-enu /z
Note These switches can be combined into one command line.

For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/wsus/bb466201.aspx
Restart requirement
You must restart your computer after you apply this patch.
Removal information
To remove this patch, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallkbNumber$\Spuninst folder, and it supports the following Setup switches:
  • /? : Display the list of installation switches.
  • /u : Use unattended mode.
  • /f : Force other programs to quit when the computer shuts down.
  • /z : Do not restart when the installation is complete.
  • /q : Use Quiet mode (no user interaction).
Patch replacement information
This patch is replaced by Windows 2000 Service Pack 4 (SP4).

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack
This patch does not replace any other patches.
File information
The English version of this patch has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date         Time   Version        Size     Path and File name
   ------------------------------------------------------------------------
   01-Apr-2003  16:30  5.0.2195.6699  237,776  %Windir%\System32\Drivers\Srv.sys
   01-Apr-2003  16:31  5.0.2195.6697   74,000  %Windir%\System32\Srvsvc.dll
You can also verify the files that this patch installed by reviewing the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\KB817606\Filelist

Windows NT 4.0 (all versions)

Download information
The following files are available for download from the Microsoft Download Center:

Windows NT 4.0 Workstation and Windows NT 4.0 Server

Collapse this imageExpand this image
Download
Download the 817606 package now.

Windows NT 4.0 Server, Terminal Server Edition

Collapse this imageExpand this image
Download
Download the 817606 package now. Release Date: July 9, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Prerequisites
This patch requires Windows NT 4.0 Service Pack 6a (SP6a) or Windows NT Server 4.0, Terminal Server Edition Service Pack 6 (SP6).

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
152734 How to obtain the latest Windows NT 4.0 service pack
Installation information
This patch supports the following Setup switches:
  • /y : Perform removal (only with /m or /q ).
  • /f : Force programs to be closed at shutdown.
  • /n : Do not create an Uninstall folder.
  • /z : Do not restart when patch completes.
  • /q : Use Quiet or Unattended mode with no user interface (this switch is a superset of /m ).
  • /m : Use Unattended mode with user interface.
  • /l : List installed patches.
  • /x : Extract the files without running Setup.
Deployment information
To install the patch without any user intervention, use the following command line:
q817606i /q
To install the patch without forcing the computer to restart, use the following command line:
q817606i /z
Note These switches can be combined into one command line.

For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/wsus/bb466201.aspx
Restart requirement
You must restart your computer after you apply this patch.
Removal information
To remove this patch, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallkbNumber$\Spuninst folder, and it supports the following Setup switches:
  • /? : Display the list of installation switches.
  • /u : Use unattended mode.
  • /f : Force other programs to quit when the computer shuts down.
  • /z : Do not restart when the installation is complete.
  • /q : Use Quiet mode (no user interaction).
Patch replacement information
This patch does not replace any other patches.
File information
The English version of this patch has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date         Time   Version         Size     Path and File name
   ---------------------------------------------------------------------------------
   27-Mar-2003  15:20  4.0.1381.7214   231,312  %Windir%\System32\Drivers\Srv.sys  Windows NT 4.0
   27-Mar-2003  15:26  4.0.1381.33547  231,280  %Windir%\System32\Drivers\Srv.sys  Windows NT 4.0, Terminal Server Edition

STATUS

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed in the "Applies to" section.

Windows XP

This problem was first corrected in Microsoft Windows XP Service Pack 2.

MORE INFORMATION

For more information about this vulnerability, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS03-024.mspx

Properties

Article ID: 817606 - Last Review: September 27, 2007 - Revision: 11.6
APPLIES TO
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Media Center Edition
  • Microsoft Windows XP Tablet PC Edition
  • Microsoft Windows XP 64-Bit Edition Version 2002
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows NT Workstation 4.0 Developer Edition
  • Microsoft Windows NT Server 4.0 Standard Edition
  • Microsoft Windows NT Server 4.0, Terminal Server Edition
Keywords: 
kbhotfixserver kbqfe atdownload kbwinxpsp2fix kbenv kbwinnt400presp7fix kbwin2ksp4fix kbwin2000presp4fix kbfix kbbug kbwinxppresp2fix kbsecvulnerability kbsecbulletin kbsecurity KB817606

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com