MS-CHAP is the Microsoft version of the Challenge-Handshake Authentication Protocol and is described in RFC2759. A recent presentation by Moxie Marlinspike  has revealed a breakthrough which reduces the security of MS-CHAPv2 to a single DES encryption (2^56) regardless of the password length. Today, we published Security Advisory 2743314 with recommendations to mitigate the effects of this issue.
Any potential attack would require a man in the middle situation in which a third party can get all the traffic between the client and authenticator during the authentication.
Without going into much detail about the MS-CHAPv2 protocol, we will just discuss the part that would be affected by this type of attack: the challenge and response authentication. This is how the client responds to the challenge sent by the authenticator:
C=SHA1(CS,CC,UNAME)P=MD4(PASSWORD)K1|K2|K3=P|5 byte of 0R=DES(K1,C)|DES(K2,C)|DES(K3,C)
There are several issues in this algorithm that combined together can result in the success of this type of attack.
First, all elements of the challenge and response beside the MD4 of the password are sent in clear over the wire or could be easily calculated from items that are sent over the wire. This means that for a man in the middle attacker, the gain of the password hash will be enough to re-authenticate.
Secondly, the key derivation is particularly weak. Padding with 5 bytes of zero means that the last DES key has only a key space of 2^16.
Lastly, the same plaintext is encrypted with K1 and K2, which means a single key search of 2^56 is enough to break both K1 and K2.
Once the attacker has K1, K2 and K3 he has the MD4 of the password which is enough to re-authenticate.
- Ali Rahbar, MSRC Engineering
Today we released MS12-060, addressing a potential remote code execution vulnerability in MSCOMCTL.OCX, the binary included with a number of Microsoft products to provide a set of common ActiveX controls.
Limited, targeted attacks exploiting CVE-2012-1856
MS12-060 is on the list of high priority updates for this month for two reasons: we are aware of very limited, targeted attacks taking advantage of CVE-2012-1856 and we expect to see new attacks taking advantage of this vulnerability in days ahead. We discovered this vulnerability in a malicious RTF file sent by email which attempted to run an exploit when opened with WordPad or Microsoft Word. Deploying MS12-060 will address the vulnerability and will protect against attacks. So once again we emphasize the urgency of applying this update as soon as possible.
Comparing MS12-060 to MS12-027 (previous MSCOMCTL bulletin)
MS12-060 addresses a different vulnerability than was addressed by the previous MSCOMCTL security update, MS12-027. The previous vulnerability (CVE-2012-0158) was a stack-based buffer overflow affecting both TreeView and ListView controls. MS12-060 instead fixes a different issue (CVE-2012-1856) caused by a wrong memory allocation present in the code of the TabStrip control. In both cases code execution is possible, but exploitation methods are very different. We expect to see attacks exploiting CVE-2012-1856 delivered as Office documents and mostly as RTF file due to the antivirus signature evasion options offered by RTF format that we previously observed watching the CVE-2012-0158 MSCOMCTL vulnerability.
Office mitigations against embedded controls
Microsoft Office includes various on-by-default mitigations and a range of optional security features that, added on top of MS12-060 security update, will offer additional protection layers against suspicious documents with embedded ActiveX controls (such as MSCOMCTL) or other potentially harmful active content. All these mitigations and additional protection settings have been covered and explained in details with a previous blog available at http://blogs.technet.com/b/srd/archive/2012/04/10/ms12-027-enhanced-protections-regarding-activex-controls-in-microsoft-office-documents.aspx. All the protection settings discussed in the previous blog, such as Office kill bit and Protected View, are valid defensive measures that will harden Office against similar attacks. The vulnerable CLSID for CVE-2012-1856 is 1EFB6596-857C-11D1-B16A-00C0F0283628.
One more additional protection layer that we found useful against RTF-based attacks is enabling by default the Protected View feature for all RTF files from the Office Trust Center panel. A simple setting that prevents automatic loading of embedded controls and active content in RTF documents. The Trust Center panel offers two possible configurations: opening RTF files in Protected View with or without editing features enabled. Opening the document in Protected View without editing will block attacks based on embedded controls while still allowing reading/viewing RTF documents. It is a very good safeguard against malicious RTF files with embedded controls.
Deploying EMET to mitigate the risk
Finally, we noticed that the Enhanced Mitigation Experience Toolkit (EMET) is able to mitigate or neutralize exploitation attempts for this vulnerability and so we encourage customers who want to add an additional layer of protection on top of the MS12-060 security update to consider deploying EMET at least to protect browser programs and Office applications on client machines. EMET 3.0 can be downloaded from http://www.microsoft.com/en-us/download/details.aspx?id=29851.
Thanks to Ali Rahbar and Ali Pezeshk from MSRC Engineering for the help investigating this vulnerability.
- Elia Florio, MSRC Engineering
We released security update MS12-054 to address four privately reported issues in Windows networking components failing to properly handle malformed Remote Administration Protocol (RAP) responses. The most severe of these issues, CVE-2012-1851, is a format string vulnerability in the printer spooler service while handling a response message and is a wormable-class vulnerability on Windows XP and Windows Server 2003. At least, sort of wormable. This blog post will explain the attack scenario and the limited affected platforms to help you assess the risk this vulnerability poses to your environment.
What is the RAP protocol?
Windows workgroups and domains maintain a lookup list of network resources such as printers, SQL servers, and file servers. Each time a new resource becomes available (such as a new printer being shared or a SQL Server booting up), the server hosting the resource notifies the subnet’s master browser (or backup browser). Any application or workstation that needs a specific type of resource can then query its subnet’s master browser or backup browser to respond with a list of resources of the requested type. The MSDN NetServerEnum documentation explains how an application can query the subnet browser for network resources and the type of resources available to be queried. Amongst other uses, the Remote Administration Protocol (RAP) is the protocol included with Windows to perform these types of administrative functions.
Potential Attack Scenario
All four vulnerabilities addressed by MS12-054 are client-side parsing issues of malformed RAP responses. To trigger the vulnerability by sending a malicious response, an attacker would need to either act as a subnet’s browser or populate the legitimate master/backup browser’s lookup table with malformed records which would be relayed to clients when they request a resource of a certain type. Windows XP users face the most significant risk from these vulnerabilities, as indicated in the affected products chart at the end of this blog post. A commonly exercised user experience path that initiates a NetServerEnum call (and subsequent RAP request) is the Windows XP “View workgroup computers” link in the “My Network Places” dialog box, shown below:
How is this “wormable”?
In addition to the "My Network Places" user-initiated scenario above, several "on-by-default" scenarios also exist on Windows XP. For example, winlogon initiates a request using this protocol to find domain controllers. The client-side group policy component also initiates RAP requests to which a malicious subnet browser could return a malformed attack response. CVE-2012-1851, as an example, involves the print spooler service on Windows XP and Windows Server 2003, a service that regularly polls/queries the subnet browser for a list of shared printers. It would be "wormable" given the following conditions:
Every two minutes, the victim’s print spooler service will call the NetServerEnum API to enumerate shared, available printers. This instructs the Workstation service to initiate a RAP request over SMB to the subnet's browser. The subnet browser could then potentially send back a malformed response which would be passed to the spooler service, triggering the vulnerability. The chart below describes the flow.
The affected platforms list is full of good news for customers that have migrated to newer versions of Windows. First, two of the vulnerabilities (CVE-2012-1852 and CVE-2012-1853) affect only Windows XP. The vulnerability affecting the Browser service (CVE-2012-1850) is rated Moderate on Vista and later platforms because the Browser service is off by default starting with Windows Vista. And, finally, the print spooler service code execution vulnerability (CVE-2012-1851) manifests only as a denial-of-service on Windows Vista and does not affect later platforms at all in their default configuration.
The table below summarizes the risk per platform:
We hope this information helps you assess the risk of this “sort of wormable” issue in your environment. Please let us know if you have any questions.
- Jonathan Ness, Neil Sikka, and Gangadhara Swamy, MSRC Engineering
Today we released nine security bulletins addressing 26 CVE’s (13 Microsoft and 13 Oracle CVE’s). Five of the bulletins have a maximum severity rating of Critical and the other four have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
(Windows Common Controls)
See this SRD blog post for more detail about this specific vulnerability, how it differs from the previous MSCOMCTL issue released in April, and workaround options we recommend to harden against any future vulnerabilities in this component.
This vulnerability cannot be triggered from within Outlook's preview pane. The email-based RTF attack vector would require double-clicking the RTF attachment.
(Windows Networking Components)
(Oracle Outside In for Exchange)
(Windows drivers [win32k.sys])
In addition to the nine new security bulletins, we have re-released MS12-043 to make available a security update for Microsoft XML Core Services 5.0 that was unavailable at the time of initial release.
Finally, we have also released a new security advisory, KB 2661254, to inform customers of an update available on the Download Center that restricts the use of certificates with RSA keys less than 1024 bits in length. This advisory announces that we plan to release this update through Microsoft Update in October, 2012 after customers have a chance to evaluate their unique environments with the update and take necessary actions to use certificates of 1024 or greater bit length.
- Jonathan Ness, MSRC Engineering