Vulnerability

CERT-In Vulnerability Note CIVN-2005-0075
Vulnerability in Telephony Service Could Allow Remote Code Execution

Original Issue Date:August 10, 2005

Severity Rating: HIGH

Systems Affected

Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP SP1 and SP2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows 98, Microsoft Windows 98 Second Edition SE , and Microsoft Windows Millennium Edition ME

Overview

A Vulnerability has been reported in Microsoft Windows Telephony, which can be exploited by a local user to gain escalated privileges or by remote malicious user to execute an arbitrary code, depending on the operating system version and configuration.

Description

Telephony Application Programming Interface TAPI integrates telecommunications with the operating system. TAPI supports both traditional and IP telephony to provide voice, data, and video communication. The vulnerability is caused due to an unspecified error in the TAPI service when validating permissions and the length of certain messages before copying the data to an allocated buffer.

The telephony server feature is available on Windows 2000 Server and Windows Server 2003 , remote code execution is possible, when these servers are configured as Telephony servers.

On Windows Server 2003 the Telephony service is restricted to authenticated user accounts, even when enabled as a telephony server. Anonymous attacks are not possible on Windows 2003 Server. On Windows 2000 Server a remote anonymous user could exploit this vulnerability.

A local elevation of privilege vulnerability is possible on Windows 2000 Server and Windows Server 2003 based systems that have not configured the telephony server. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

On Windows 2000 Professional and on Windows XP, this is a local elevation of privilege vulnerability. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. By default, the Telephony service is not running on Windows XP and Windows Server 2003. However, the TAPI client will start the Telephony service without user interaction when required. Unless the Telephony service has been set to disabled by an administrator, a non-privileged user account can start this service. Systems that have disabled the Telephony service would not be vulnerable to this issue.

Workaround

Disable the Telephony service.
Block the UDP ports 135, 137, 138, 445 and TCP ports 135, 139, 445, 593 at the firewall.
Block all unsolicited inbound traffic on ports greater than 1024 at the firewall.
Use a personal firewall.
Enable advanced TCP/IP filtering on systems.
Block the affected ports by using IPsec on the affected systems.

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS05-040

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/bulletin/MS05-040.mspx

References

Security tracker
http://securitytracker.com/alerts/2005/Aug/1014639.html

Secunia Advisory
http://secunia.com/advisories/16354/

CVE Name
CAN-2005-0058

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-2436857

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India