MS Windows Active Directory BO (Feb 18, 2011)


Microsoft Windows Active Directory is a directory service running on Windows domain controllers. Active Directory utilizes the Computer Browser service technology to collect, distribute, and obtain information about workgroups, domains, and individual hosts on a network.

The Computer Browser service typically uses connectionless server broadcasts to communicate between nodes. Registration, announcements, and browser elections are performed by the service to provide the network with a list of available resources. Individual nodes on a browser system play various browser roles. There are five browse service roles that computers can play in the browser system:

Non-Browser Potential Browser Backup Browse Server Master Browse Server Domain Master Browser

All Windows Server 2003 domain controllers are configured as either master browse servers or backup browse servers. A server broadcasts a Host Announcement message on startup to announce its presence to the master browse server. The process of adding a new server entry to the master browse server’s browse list is called registration. In the case where there is no WINS server, all name registrations as well as name lookups are done by UDP broadcast. Where a WINS server is used, the Windows client will use UDP unicast to register with the WINS server. This name is registered by the master browse server and is used to broadcast and receive domain announcements on the local subnet. A Browser Election takes place to select a new master browse server under the following circumstances:

A host cannot locate a master browse server Preferred master browse server comes online Windows-based domain controller starts A back-up browse server cannot contact the master browse server 

A computer initiates an election by broadcasting a Browser Election Request. The Browser Election Request is transmitted over SMB. This request has the following format:

Offset Size Description ------ ---- ----------------------------------------------------------- 0x0000 1    Command  0x0001 1    Election Version 0x0002 4    Election Criteria 0x0006 4    Client uptime  0x000A 4    Unused 0x000E N    Null-terminated ASCII server name

If a browser receives this request with a lower ranking of election criteria than its own, then the browser sends its own Browser Election Request. If the browser does not have a higher ranking value then the browser attempts to determine which computer is the new master browse server.

A heap overflow vulnerability exists in Microsoft Windows Server 2003, when configured as an Active Directory server. The vulnerability is due to a boundary error in the kernel component of the Windows Browsing service that is responsible for handling the incoming Browsing Election Requests. The vulnerable code fails to properly handle overly long ServerName field values. When an overly long ServerName field is encountered, the code allocates a fixed size buffer to store multiple fields, starting with the ServerName field. A ServerName field that is longer than the allowable size, will cause the calculation of the size of the remainder of the buffer to be equal to zero. Later on in the process flow, this zero size is decreased by one, causing an integer underflow. The code performs additional calculations on the value at which point it uses the final value as the size for a double word copy operation into the aforementioned buffer. The copy operation overruns the buffer and corrupts memory. This condition can potentially lead to overwritten function pointers and code injection and execution. Successful exploitation may lead to kernel-level code injection and execution. Unsuccessful code execution attacks may cause a target system to crash, leading to a system-wide denial of service condition.

SonicWALL has released an IPS signature to detect and block generic attack attempts targeting this vulnerability. The following signature has been released:

  • 6253 -MS Windows Active Directory BROWSER ELECTION BO Attempt

In addition to this threat specific signature, SonicWALL routinely releases generic signature that detect frequently used byte patterns in exploitation attempts of vulnerabilities such as this one.

This vulnerability has been assigned the id CVE-2011-0654 by mitre.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.