From da@securityfocus.com Sat Jul 27 18:08:34 2002 From: Dave Ahmad To: bugtraq@securityfocus.com Date: Wed, 24 Jul 2002 23:54:00 -0600 (MDT) Subject: Microsoft Security Bulletin MS02-036: Authentication Flaw in Microsoft Metadirectory Services Could Allow Privilege Elevation (Q317138) (fwd) -----BEGIN PGP SIGNED MESSAGE----- - ---------------------------------------------------------------------- Title: Authentication Flaw in Microsoft Metadirectory Services Could Allow Privilege Elevation (Q317138) Date: 24 July 2002 Software: Microsoft Metadirectory Services 2.2 Impact: Elevation of privilege Max Risk: Medium Bulletin: MS02-036 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS02-036.asp. - ---------------------------------------------------------------------- Issue: ====== Microsoft Metadirectory Services (MMS) is a centralized metadirectory service that provides connectivity, management, and interoperability functions to help unify fragmented directory and database environments. It enables enterprises to link together disparate data repositories such as Exchange directory, Active Directory, third-party directory services, and proprietary databases, for the purpose of ensuring that the data in each is consistent, accurate, and can be centrally managed. A flaw exists that could enable an unprivileged user to access and manipulate data within MMS that should, by design, only be accessible to MMS administrators. Specifically, it is possible for an unprivileged user to connect to the MMS data repository via an LDAP client in such a way as to bypass certain security checks. This could enable an attacker to modify data within the MMS data repository, either for the purpose of changing the MMS configuration or replicating bogus data to the other data repositories. Mitigating Factors: ==================== - If normal security practices have been followed, the vulnerability could not be exploited from the Internet. - The vulnerability could only be exploited by an attacker who had significant technical expertise at a protocol level. The vulnerability does not provide access to MMS itself, but rather to the MMS data repository. Determining what data to change - and how to change it - in order to cause a desired effect could be quite difficult - A successful attack would require a detailed understanding of the specific way MMS had been configured, as well as information about all of the other directories and database it was being used to manage. It is likely that the vulnerability could only be exploited by an attacker who had insider knowledge about the enterprise. Risk Rating: ============ - Internet systems: Moderate - Intranet systems: Moderate - Client systems: None Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms02-036.asp for information on obtaining this patch. Acknowledgment: =============== - Pascal Huijbers and Thomas de Klerk of Info Support http://www.infosupport.com/ - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBPT80F40ZSRQxA/UrAQGgxAgAlnVa6frQ0Y6ZU4epV2I/uDhI/lnghh05 D75xCzDZMzJGWRbWNcydBjjv/gccbHSwUksbe9IT7yS+6ukBEYoZzoi19AC6P57s qYxO99oyO96uyxuwVzY/RMthoLuswBi2iAPm457runJwf8v9xgJzGOr3B9jJ0ETN pBhi+qER33kb9EJkBMlqKUoaV5jIraU9MlSPiemmY103uVaR9VQ34FblZqAZhtUS 0t1EP6fxf1PdXCi1y5CtvsPyg+r4uRlYws4x0OegAnaR0P0TmKesq/blRPfeGBnl Zxzr+LZZ8jCfLh+p0U4Bmn70c6526yaXbN+jJUVxPMVsGjNDzqutMQ== =3gC3 -----END PGP SIGNATURE-----