OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Microsoft Product Security (secnotifMICROSOFT.COM)
Date: Thu Jun 07 2001 - 22:02:36 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    The following is a Security Bulletin from the Microsoft Product Security
    Notification Service.

    Please do not reply to this message, as it was sent from an unattended
    mailbox.
                        ********************************

    -----BEGIN PGP SIGNED MESSAGE-----

    - ---------------------------------------------------------------------
    Title: Predictable Name Pipes Could Enable Privilege Elevation
                via Telnet
    Date: 07 June 2001
    Software: Windows 2000
    Impact: Privilege elevation, denial of service,
                information disclosure
    Bulletin: MS01-031

    Microsoft encourages customers to review the Security Bulletin at:
    http://www.microsoft.com/technet/security/bulletin/MS01-031.asp.
    - ---------------------------------------------------------------------

    Issue:
    ======
    This bulletin discusses a total of seven vulnerabilities affecting
    the Windows 2000 Telnet service. The vulnerabilities fall into three
    broad categories: privilege elevation, denial of service and
    information disclosure.

    Two of the vulnerabilities could allow privilege elevation, and have
    their roots in flaws related to the way Telnet sessions are created.
    When a new Telnet session is established, the service creates a named
    pipe, and runs any code associated with it as part of the
    initialization process. However, the pipe's name is predictable, and
    if Telnet finds an existing pipe with that name, it simply uses it.
    An attacker who had the ability to load and run code on the server
    could create the pipe and associate a program with it, and the Telnet
    service would run the code in Local System context when it stablished
    the next Telnet session.

    Four of the vulnerabilities could allow denial of service attacks.
    None of these vulnerabilities have anything in common with each
    other.

     - One occurs because it is possible to prevent Telnet from
    terminating idle sessions; by creating a sufficient number of such
    sessions, an attacker could deny sessions to any other user.

     - One occurs because of a handle leak when a Telnet session is
    terminated in a certain way. By repeatedly starting sessions and then
    terminating them, an attacker could deplete the supply of handles on
    the server to point where it could no longer perform useful work.
     
     - One occurs because a logon command containing a particular
    malformation causes an access violation in the Telnet service.

     - One occurs because a system call can be made using only normal
    user privileges, which has the effect of terminating a Telnet
    session.

    The final vulnerability is an information disclosure vulnerability
    that could make it easier for an attacker to find Guest accounts
    exposed via the Telnet server. It has exactly the same cause, scope
    and effect as a vulnerability affecting FTP and discussed in
    Microsoft Security Bulletin MS01-026.

    Mitigating Factors:
    ====================
    Privilege elevation vulnerabilities:

     - Because the attacker would need the ability to load and run code
    on the Telnet server, it is likely that these vulnerabilities could
    only be exploited by an attacker who had the ability to run code
    locally on the Telnet Server.

     - Administrative privileges are needed to start the Telnet service,
    so the attacker could only exploit the vulnerability if Telnet were
    already started on the machine.

    Denial of service vulnerabilities:

     - It would not be necessary to reboot the server to recover from any
    of these vulnerabilities. At worst, the Telnet service would need to
    be restarted.
     
     - None of these vulnerabilities could be used to gain additional
    privileges on the machine; they are denial of service vulnerabilities
    only.

    Information disclosure vulnerability:

     - The vulnerability could only be exploited if the Guest account on
    the local machine was disabled, but the Guest account on a trusted
    domain was enabled. By default, the Guest account is disabled.

    Patch Availability:
    ===================
     - A patch is available to fix this vulnerability. Please read the
       Security Bulletin
       http://www.microsoft.com/technet/security/bulletin/ms01-031.asp
       for information on obtaining this patch.

    Acknowledgment:
    ===============
     - Guardent (www.guardent.com) for reporting the two privilege
       elevation vulnerabilities and one of the denial of service
       vulnerabilities.

     - Richard Reiner of Securexpert (www.securexpert.com) for reporting
       one of the denial of service vulnerabilities.

     - Bindview's Razor Team (razor.bindview.com) for reporting one of
      the denial of service vulnerabilities.

     - Peter Grundl for reporting one of the denial of service
       vulnerabilities.

    - ---------------------------------------------------------------------

    THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
    "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
    WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
    MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
    SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
    DAMAGES
    WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
    LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT
    CORPORATION
    OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
    DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF
    LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
    LIMITATION MAY NOT APPLY.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP Personal Privacy 6.5.3

    iQEVAwUBOyBAKY0ZSRQxA/UrAQEEmwf/QyxJr/941IwmJXDHuGR12/j/qY93V+nK
    Xtp+RDNC9m5+VbjrXTrtZIECQYQDlLXskH7wSl1QtWsH4XrXgpY0sEf/dMtA6KqH
    7UsCbsS983cxm1viq7sOk45qT1YeRh0iGARFersQXR/60uAcT84G21i1iidnchm3
    tvuT33TZ+KqKq+yYMhffJ8++jxZxGr7GvpwbtNVibWGrmXyVrrd2AwS+1vHGf6rP
    WVWiiwxrU1GHh0doPxR2i+whvs5Gs6SWV9pEeA67Ohk9Pu08/0puwuQtjLPvHsX7
    fTRHf03xVuayEscwb25OyPgF5nsvpqTqzBbOwva9yDyterffoIlYlA==
    =Gprb
    -----END PGP SIGNATURE-----

       *******************************************************************
    You have received this e-mail bulletin as a result of your registration
    to the Microsoft Product Security Notification Service. You may
    unsubscribe from this e-mail notification service at any time by sending
    an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUESTANNOUNCE.MICROSOFT.COM
    The subject line and message body are not used in processing the request,
    and can be anything you like.

    To verify the digital signature on this bulletin, please download our PGP
    key at http://www.microsoft.com/technet/security/notify.asp.

    For more information on the Microsoft Security Notification Service
    please visit http://www.microsoft.com/technet/security/notify.asp. For
    security-related information about Microsoft products, please visit the
    Microsoft Security Advisor web site at http://www.microsoft.com/security.