Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Microsoft Windows Internal Server Vulnerabilities

A large percentage of security breaches involve internal attacks from employees. Disgruntled employees or ex-employees attacking internal servers, such the Microsoft Active Directory server where all passwords are stored, can have serious results such as compromised user sensitive information, drastic revenue loss, and legal liabilities.

Recently, two new, important vulnerabilities were uncovered in commonly-used Microsoft servers, making them vulnerable to such an attack.

Critical Microsoft License Logging Server Vulnerability

(MS09-064, CVE-2009-2523)

A remote code execution vulnerability has been discovered in the way that the Microsoft License Logging Server software handles specially crafted RPC packets. A remote attacker could exploit this issue to execute arbitrary code on a target system via a specially crafted RPC request.

The License Logging Service is a tool that was originally designed to help customers manage licenses for the Microsoft server products that are licensed in the Server Client Access License (CAL) model. License Logging service is one of the services used by Windows Small Business Server 2003 or earlier to manage CALs. A remote attacker could exploit this issue to execute arbitrary code on a target system via a specially crafted RPC request.

The vulnerability is due to an error in the License Logging Service that fails to validate the length of a string passed to it through an RPC call. This results in a buffer overflow. A remote attacker could exploit this vulnerability by sending a specially crafted network message to a computer running the License Logging service. Successful exploitation of this issue could allow the attacker to take complete control of the system.

Check Point provides protection against attacks that use this vulnerability through its integrated IPS products, IPS Software Blade and SmartDefense. This protection detects and blocks malformed RPC requests sent to the License Logging Service. For more information, see CPAI-2009-286.

Microsoft Active Directory Vulnerability

(MS09-066, CVE-2009-1928)

A denial of service vulnerability has been discovered in implementations of Active Directory on Microsoft Windows. A remote attacker can exploit the vulnerability to cause a denial of service condition on the target system.

Active Directory provides central authentication and authorization services for Windows-based systems. Active Directory Application Mode (ADAM) is a Lightweight Directory Access Protocol (LDAP) directory service that runs as a user service.

The vulnerability is due to an error in the LDAP service that improperly processes specific LDAP or LDAPS requests leading to stack space exhaustion. A remote attacker may trigger this vulnerability by sending a specially crafted LDAP or LDAPS packet to the Active Directory server. Successful exploitation of this vulnerability could cause a user's system to become non-responsive and require a restart.

Check Point provides protection against attacks that use this vulnerability through its integrated IPS products, IPS Software Blade and SmartDefense. This protection will detect and block large number of LDAP abandon requests using LSASS. For more information, see CPAI-2009-288.