copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » ESB-2001.228 -- Microsoft Security Bulletin MS01-031...
 

ESB-2001.228 -- Microsoft Security Bulletin MS01-031 -- Predictable Name Pipes Could Enable Privilege Elevation
Date: 12 June 2001
References: ESB-2001.203  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

           ESB-2001.228 -- Microsoft Security Bulletin MS01-031
         Predictable Name Pipes Could Enable Privilege Elevation 
                               12 June 2001

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                Telnet service
Vendor:                 Microsoft
Operating System:       Windows 2000
Impact:                 Increased Privileges
                        Denial of Service
                        Access Privileged Data
Access Required:        Remote

Ref:                    ESB-2001.203

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

- - ---------------------------------------------------------------------
Title:      Predictable Name Pipes Could Enable Privilege Elevation 
            via Telnet
Date:       07 June 2001
Software:   Windows 2000
Impact:     Privilege elevation, denial of service, 
            information disclosure 
Bulletin:   MS01-031

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS01-031.asp.
- - ---------------------------------------------------------------------


Issue:
======
This bulletin discusses a total of seven vulnerabilities affecting 
the Windows 2000 Telnet service. The vulnerabilities fall into three 
broad categories: privilege elevation, denial of service and 
information disclosure.

Two of the vulnerabilities could allow privilege elevation, and have 
their roots in flaws related to the way Telnet sessions are created. 
When a new Telnet session is established, the service creates a named
pipe, and runs any code associated with it as part of the 
initialization process. However, the pipe's name is predictable, and 
if Telnet finds an existing pipe with that name, it simply uses it. 
An attacker who had the ability to load and run code on the server 
could create the pipe and associate a program with it, and the Telnet
service would run the code in Local System context when it stablished
the next Telnet session.

Four of the vulnerabilities could allow denial of service attacks. 
None of these vulnerabilities have anything in common with each 
other. 


 - One occurs because it is possible to prevent Telnet from 
terminating idle sessions; by creating a sufficient number of such 
sessions, an attacker could deny sessions to any other user. 

 - One occurs because of a handle leak when a Telnet session is 
terminated in a certain way. By repeatedly starting sessions and then
terminating them, an attacker could deplete the supply of handles on 
the server to point where it could no longer perform useful work.
 
 - One occurs because a logon command containing a particular 
malformation causes an access violation in the Telnet service. 

 - One occurs because a system call can be made using only normal 
user privileges, which has the effect of terminating a Telnet 
session. 

The final vulnerability is an information disclosure vulnerability 
that could make it easier for an attacker to find Guest accounts 
exposed via the Telnet server. It has exactly the same cause, scope 
and effect as a vulnerability affecting FTP and discussed in 
Microsoft Security Bulletin MS01-026. 

Mitigating Factors:
====================
Privilege elevation vulnerabilities: 

 - Because the attacker would need the ability to load and run code 
on the Telnet server, it is likely that these vulnerabilities could 
only be exploited by an attacker who had the ability to run code 
locally on the Telnet Server. 

 - Administrative privileges are needed to start the Telnet service, 
so the attacker could only exploit the vulnerability if Telnet were 
already started on the machine.

Denial of service vulnerabilities: 

 - It would not be necessary to reboot the server to recover from any
of these vulnerabilities. At worst, the Telnet service would need to 
be restarted.
 
 - None of these vulnerabilities could be used to gain additional 
privileges on the machine; they are denial of service vulnerabilities
only.

Information disclosure vulnerability: 

 - The vulnerability could only be exploited if the Guest account on 
the local machine was disabled, but the Guest account on a trusted 
domain was enabled. By default, the Guest account is disabled. 


Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin
   http://www.microsoft.com/technet/security/bulletin/ms01-031.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - Guardent (www.guardent.com) for reporting the two privilege 
   elevation vulnerabilities and one of the denial of service 
   vulnerabilities. 

 - Richard Reiner of Securexpert (www.securexpert.com) for reporting 
   one of the denial of service vulnerabilities. 

 - Bindview's Razor Team (razor.bindview.com) for reporting one of
  the denial of service vulnerabilities. 

 - Peter Grundl for reporting one of the denial of service 
   vulnerabilities. 

- - ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED 
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF 
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT 
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES 
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, 
LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT
CORPORATION 
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH 
DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF 
LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING 
LIMITATION MAY NOT APPLY.

- -----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBOyBAKY0ZSRQxA/UrAQEEmwf/QyxJr/941IwmJXDHuGR12/j/qY93V+nK
Xtp+RDNC9m5+VbjrXTrtZIECQYQDlLXskH7wSl1QtWsH4XrXgpY0sEf/dMtA6KqH
7UsCbsS983cxm1viq7sOk45qT1YeRh0iGARFersQXR/60uAcT84G21i1iidnchm3
tvuT33TZ+KqKq+yYMhffJ8++jxZxGr7GvpwbtNVibWGrmXyVrrd2AwS+1vHGf6rP
WVWiiwxrU1GHh0doPxR2i+whvs5Gs6SWV9pEeA67Ohk9Pu08/0puwuQtjLPvHsX7
fTRHf03xVuayEscwb25OyPgF5nsvpqTqzBbOwva9yDyterffoIlYlA==
=Gprb
- -----END PGP SIGNATURE-----


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOyYA1yh9+71yA2DNAQFNigP9GFqtx8gJ/Dddj9qHWSkYiEub/06QoN+Q
qTGoIf9M37yXBeZC4W1Z/elqg/AevXUTfUNCzyIbqseqaBNS1+SBMCwdvZb2U0eJ
m+tkPS0cAUyNd1hOFWIOal2skPaXsgKJM3B603w9YAQrTNm+EFChmfMaIlphK9oK
DYJlBqB8NXA=
=Gpau
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=1&it=1338