Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Microsoft Security Bulletin MS01-031

From: Microsoft Product Security <secnotif () MICROSOFT COM>
Date: Thu, 7 Jun 2001 20:02:36 -0700
The following is a Security  Bulletin from the Microsoft Product Security
Notification Service.

Please do not  reply to this message,  as it was sent  from an unattended
mailbox.
                    ********************************

-----BEGIN PGP SIGNED MESSAGE-----

- ---------------------------------------------------------------------
Title:      Predictable Name Pipes Could Enable Privilege Elevation 
            via Telnet
Date:       07 June 2001
Software:   Windows 2000
Impact:     Privilege elevation, denial of service, 
            information disclosure 
Bulletin:   MS01-031

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS01-031.asp.
- ---------------------------------------------------------------------


Issue:
======
This bulletin discusses a total of seven vulnerabilities affecting 
the Windows 2000 Telnet service. The vulnerabilities fall into three 
broad categories: privilege elevation, denial of service and 
information disclosure.

Two of the vulnerabilities could allow privilege elevation, and have 
their roots in flaws related to the way Telnet sessions are created. 
When a new Telnet session is established, the service creates a named
pipe, and runs any code associated with it as part of the 
initialization process. However, the pipe's name is predictable, and 
if Telnet finds an existing pipe with that name, it simply uses it. 
An attacker who had the ability to load and run code on the server 
could create the pipe and associate a program with it, and the Telnet
service would run the code in Local System context when it stablished
the next Telnet session.

Four of the vulnerabilities could allow denial of service attacks. 
None of these vulnerabilities have anything in common with each 
other. 


 - One occurs because it is possible to prevent Telnet from 
terminating idle sessions; by creating a sufficient number of such 
sessions, an attacker could deny sessions to any other user. 

 - One occurs because of a handle leak when a Telnet session is 
terminated in a certain way. By repeatedly starting sessions and then
terminating them, an attacker could deplete the supply of handles on 
the server to point where it could no longer perform useful work.
 
 - One occurs because a logon command containing a particular 
malformation causes an access violation in the Telnet service. 

 - One occurs because a system call can be made using only normal 
user privileges, which has the effect of terminating a Telnet 
session. 

The final vulnerability is an information disclosure vulnerability 
that could make it easier for an attacker to find Guest accounts 
exposed via the Telnet server. It has exactly the same cause, scope 
and effect as a vulnerability affecting FTP and discussed in 
Microsoft Security Bulletin MS01-026. 

Mitigating Factors:
====================
Privilege elevation vulnerabilities: 

 - Because the attacker would need the ability to load and run code 
on the Telnet server, it is likely that these vulnerabilities could 
only be exploited by an attacker who had the ability to run code 
locally on the Telnet Server. 

 - Administrative privileges are needed to start the Telnet service, 
so the attacker could only exploit the vulnerability if Telnet were 
already started on the machine.

Denial of service vulnerabilities: 

 - It would not be necessary to reboot the server to recover from any
of these vulnerabilities. At worst, the Telnet service would need to 
be restarted.
 
 - None of these vulnerabilities could be used to gain additional 
privileges on the machine; they are denial of service vulnerabilities
only.

Information disclosure vulnerability: 

 - The vulnerability could only be exploited if the Guest account on 
the local machine was disabled, but the Guest account on a trusted 
domain was enabled. By default, the Guest account is disabled. 


Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin
   http://www.microsoft.com/technet/security/bulletin/ms01-031.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - Guardent (www.guardent.com) for reporting the two privilege 
   elevation vulnerabilities and one of the denial of service 
   vulnerabilities. 

 - Richard Reiner of Securexpert (www.securexpert.com) for reporting 
   one of the denial of service vulnerabilities. 

 - Bindview's Razor Team (razor.bindview.com) for reporting one of
  the denial of service vulnerabilities. 

 - Peter Grundl for reporting one of the denial of service 
   vulnerabilities. 

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED 
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF 
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT 
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES 
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, 
LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT
CORPORATION 
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH 
DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF 
LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING 
LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBOyBAKY0ZSRQxA/UrAQEEmwf/QyxJr/941IwmJXDHuGR12/j/qY93V+nK
Xtp+RDNC9m5+VbjrXTrtZIECQYQDlLXskH7wSl1QtWsH4XrXgpY0sEf/dMtA6KqH
7UsCbsS983cxm1viq7sOk45qT1YeRh0iGARFersQXR/60uAcT84G21i1iidnchm3
tvuT33TZ+KqKq+yYMhffJ8++jxZxGr7GvpwbtNVibWGrmXyVrrd2AwS+1vHGf6rP
WVWiiwxrU1GHh0doPxR2i+whvs5Gs6SWV9pEeA67Ohk9Pu08/0puwuQtjLPvHsX7
fTRHf03xVuayEscwb25OyPgF5nsvpqTqzBbOwva9yDyterffoIlYlA==
=Gprb
-----END PGP SIGNATURE-----

   *******************************************************************
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM
The subject line and message body are not used in processing the request,
and can be anything you like.

To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.

For  more  information on  the  Microsoft  Security Notification  Service
please  visit  http://www.microsoft.com/technet/security/notify.asp.  For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.
Previous By Date Next
Previous By Thread Next

Current thread: