From secnotif@MICROSOFT.COM Thu Jun 7 22:40:27 2001 From: Microsoft Product Security To: MICROSOFT_SECURITY@ANNOUNCE.MICROSOFT.COM Date: Thu, 7 Jun 2001 20:02:36 -0700 Subject: Microsoft Security Bulletin MS01-031 The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** -----BEGIN PGP SIGNED MESSAGE----- - --------------------------------------------------------------------- Title: Predictable Name Pipes Could Enable Privilege Elevation via Telnet Date: 07 June 2001 Software: Windows 2000 Impact: Privilege elevation, denial of service, information disclosure Bulletin: MS01-031 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-031.asp. - --------------------------------------------------------------------- Issue: ====== This bulletin discusses a total of seven vulnerabilities affecting the Windows 2000 Telnet service. The vulnerabilities fall into three broad categories: privilege elevation, denial of service and information disclosure. Two of the vulnerabilities could allow privilege elevation, and have their roots in flaws related to the way Telnet sessions are created. When a new Telnet session is established, the service creates a named pipe, and runs any code associated with it as part of the initialization process. However, the pipe's name is predictable, and if Telnet finds an existing pipe with that name, it simply uses it. An attacker who had the ability to load and run code on the server could create the pipe and associate a program with it, and the Telnet service would run the code in Local System context when it stablished the next Telnet session. Four of the vulnerabilities could allow denial of service attacks. None of these vulnerabilities have anything in common with each other. - One occurs because it is possible to prevent Telnet from terminating idle sessions; by creating a sufficient number of such sessions, an attacker could deny sessions to any other user. - One occurs because of a handle leak when a Telnet session is terminated in a certain way. By repeatedly starting sessions and then terminating them, an attacker could deplete the supply of handles on the server to point where it could no longer perform useful work. - One occurs because a logon command containing a particular malformation causes an access violation in the Telnet service. - One occurs because a system call can be made using only normal user privileges, which has the effect of terminating a Telnet session. The final vulnerability is an information disclosure vulnerability that could make it easier for an attacker to find Guest accounts exposed via the Telnet server. It has exactly the same cause, scope and effect as a vulnerability affecting FTP and discussed in Microsoft Security Bulletin MS01-026. Mitigating Factors: ==================== Privilege elevation vulnerabilities: - Because the attacker would need the ability to load and run code on the Telnet server, it is likely that these vulnerabilities could only be exploited by an attacker who had the ability to run code locally on the Telnet Server. - Administrative privileges are needed to start the Telnet service, so the attacker could only exploit the vulnerability if Telnet were already started on the machine. Denial of service vulnerabilities: - It would not be necessary to reboot the server to recover from any of these vulnerabilities. At worst, the Telnet service would need to be restarted. - None of these vulnerabilities could be used to gain additional privileges on the machine; they are denial of service vulnerabilities only. Information disclosure vulnerability: - The vulnerability could only be exploited if the Guest account on the local machine was disabled, but the Guest account on a trusted domain was enabled. By default, the Guest account is disabled. Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin http://www.microsoft.com/technet/security/bulletin/ms01-031.asp for information on obtaining this patch. Acknowledgment: =============== - Guardent (www.guardent.com) for reporting the two privilege elevation vulnerabilities and one of the denial of service vulnerabilities. - Richard Reiner of Securexpert (www.securexpert.com) for reporting one of the denial of service vulnerabilities. - Bindview's Razor Team (razor.bindview.com) for reporting one of the denial of service vulnerabilities. - Peter Grundl for reporting one of the denial of service vulnerabilities. - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOyBAKY0ZSRQxA/UrAQEEmwf/QyxJr/941IwmJXDHuGR12/j/qY93V+nK Xtp+RDNC9m5+VbjrXTrtZIECQYQDlLXskH7wSl1QtWsH4XrXgpY0sEf/dMtA6KqH 7UsCbsS983cxm1viq7sOk45qT1YeRh0iGARFersQXR/60uAcT84G21i1iidnchm3 tvuT33TZ+KqKq+yYMhffJ8++jxZxGr7GvpwbtNVibWGrmXyVrrd2AwS+1vHGf6rP WVWiiwxrU1GHh0doPxR2i+whvs5Gs6SWV9pEeA67Ohk9Pu08/0puwuQtjLPvHsX7 fTRHf03xVuayEscwb25OyPgF5nsvpqTqzBbOwva9yDyterffoIlYlA== =Gprb -----END PGP SIGNATURE----- ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/technet/security/notify.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.