=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2006/VULN418
_____________________________________________________________________

DATE                      : 01/08/2006

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Windows 2000, Windows Server 2003,
                                           Windows XP.

======================================================================

Internet Security Systems Protection Brief
July 28, 2006

Vulnerability in Server Driver could result in Denial of Service

Summary:

Multiple versions of Microsoft Windows are vulnerable to a null pointer
dereference in the server driver (srv.sys). By sending a specially-crafted
network packet to an affected system, a remote attacker could cause the
system to crash.

Business Impact:

Attackers can reliably cause Microsoft Windows to blue screen. Users must
reboot to recover from the crash. An exploit is available in the wild. As of
this writing no patch is available for the vulnerability.

Affected Products:

     Microsoft Corporation: Windows 2000 SP4
     Microsoft Corporation: Windows Server 2003
     Microsoft Corporation: Windows Server 2003 Itanium
     Microsoft Corporation: Windows Server 2003 SP1
     Microsoft Corporation: Windows Server 2003 SP1 Itanium
     Microsoft Corporation: Windows Server 2003 x64 Edition
     Microsoft Corporation: Windows XP Pro x64 Edition
     Microsoft Corporation: Windows XP SP1
     Microsoft Corporation: Windows XP SP2

Description:

An exploit was released into the wild that was misconstrued as a denial of
service proof of concept for the Windows Mailslot vulnerability (MS06-035).
In fact, this proof of concept exploits a different vulnerability, which has
not been patched, caused by a null pointer dereference. It is unlikely that
this vulnerability could result in remote code execution; however, complete
system crashes are reliable. As there is no patch available for this problem
at the time of this writing, ISS has decided to provide coverage on an
expedited basis.

Mitigation:

The vulnerability exists in the Server Message Block protocol which runs on
TCP ports 139 and 445. Both of these ports should be blocked at perimeter
firewalls, both inbound and outbound.

Reference:
http://xforce.iss.net/xforce/alerts/id/231
______________________________________________________________________

About Internet Security Systems, Inc.
Internet Security Systems, Inc. (ISS) is the trusted security advisor to
thousands of the world's leading businesses and governments, providing
preemptive protection for networks, desktops and servers. An established
leader in security since 1994, ISS' integrated security platform
automatically protects against both known and unknown threats, keeping
networks up and running and shielding customers from online attacks before
they impact business assets. ISS products and services are based on the
proactive security intelligence of its X-Force® research and development
team - the unequivocal world authority in vulnerability and threat research.
ISS' product line is also complemented by comprehensive Managed Security
Services. For more information, visit the Internet Security Systems Web site
at www.iss.net or call 800-776-2362.

Copyright (c) 2006 Internet Security Systems, Inc. All rights reserved
worldwide.

This document is not to be edited or altered in any way without the
express written consent of Internet Security Systems, Inc. If you wish
to reprint the whole or any part of this document, please email

xforce@iss.net for permission. You may provide links to this document
from your web site, and you may make copies of this document in
accordance with the fair use doctrine of the U.S. copyright laws.

Disclaimer: The information within this paper may change without notice. Use
of this information constitutes acceptance for use in an AS IS condition.
There are NO warranties, implied or otherwise, with regard to this
information or its use. Any use of this information is at the user's risk.
In no event shall the author/distributor (Internet Security Systems X-Force)
be held liable for any damages whatsoever arising out of or in connection
with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and PGP.com's key
server, as well as at http://www.iss.net/security_center/sensitive.php
Please send suggestions, updates, and comments to: X-Force

xforce@iss.net of Internet Security Systems, Inc.

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================