Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: ciacl092.txt

Microsoft Predictable Name Pipes In Telnet




             __________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                   Microsoft Predictable Name Pipes In Telnet

June 11, 2001 18:00 GMT                                           Number L-092
______________________________________________________________________________
PROBLEM:       The Microsoft Telnet service has seven vulnerabilities in 
               operational usage. These vulnerabilities exist due to the manner 
               in which telnet is started and corollary procedures. 
PLATFORM:      Windows 2000 
DAMAGE:        Two vulnerabilities, through the misuse of initialization pipes, 
               allow a malicious party to elevate their privileges. Four 
               vulnerabilities allow the potential of denial of service (DoS) 
               attacks. A final vulnerability can cause exposure of Guest 
               accounts on the server. For all vulnerabilities the mitigating 
               factor is that the malicious party must have local access 
               capability. 
SOLUTION:      Apply the patch provided by Microsoft. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. This information has been made publicly 
ASSESSMENT:    available. Additionally, there is a wide range of 
               vulnerabilities affecting the telnet service.
______________________________________________________________________________

[******  Begin Microsoft Bulletin ******]


- ---------------------------------------------------------------------
Title:      Predictable Name Pipes Could Enable Privilege Elevation 
            via Telnet
Date:       07 June 2001
Software:   Windows 2000
Impact:     Privilege elevation, denial of service, 
            information disclosure 
Bulletin:   MS01-031

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS01-031.asp.
- ---------------------------------------------------------------------


Issue:
======
This bulletin discusses a total of seven vulnerabilities affecting 
the Windows 2000 Telnet service. The vulnerabilities fall into three 
broad categories: privilege elevation, denial of service and 
information disclosure.

Two of the vulnerabilities could allow privilege elevation, and have 
their roots in flaws related to the way Telnet sessions are created. 
When a new Telnet session is established, the service creates a named
pipe, and runs any code associated with it as part of the 
initialization process. However, the pipe's name is predictable, and 
if Telnet finds an existing pipe with that name, it simply uses it. 
An attacker who had the ability to load and run code on the server 
could create the pipe and associate a program with it, and the Telnet
service would run the code in Local System context when it stablished
the next Telnet session.

Four of the vulnerabilities could allow denial of service attacks. 
None of these vulnerabilities have anything in common with each 
other. 


 - One occurs because it is possible to prevent Telnet from 
terminating idle sessions; by creating a sufficient number of such 
sessions, an attacker could deny sessions to any other user. 

 - One occurs because of a handle leak when a Telnet session is 
terminated in a certain way. By repeatedly starting sessions and then
terminating them, an attacker could deplete the supply of handles on 
the server to point where it could no longer perform useful work.
 
 - One occurs because a logon command containing a particular 
malformation causes an access violation in the Telnet service. 

 - One occurs because a system call can be made using only normal 
user privileges, which has the effect of terminating a Telnet 
session. 

The final vulnerability is an information disclosure vulnerability 
that could make it easier for an attacker to find Guest accounts 
exposed via the Telnet server. It has exactly the same cause, scope 
and effect as a vulnerability affecting FTP and discussed in 
Microsoft Security Bulletin MS01-026. 

Mitigating Factors:
====================
Privilege elevation vulnerabilities: 

 - Because the attacker would need the ability to load and run code 
on the Telnet server, it is likely that these vulnerabilities could 
only be exploited by an attacker who had the ability to run code 
locally on the Telnet Server. 

 - Administrative privileges are needed to start the Telnet service, 
so the attacker could only exploit the vulnerability if Telnet were 
already started on the machine.

Denial of service vulnerabilities: 

 - It would not be necessary to reboot the server to recover from any
of these vulnerabilities. At worst, the Telnet service would need to 
be restarted.
 
 - None of these vulnerabilities could be used to gain additional 
privileges on the machine; they are denial of service vulnerabilities
only.

Information disclosure vulnerability: 

 - The vulnerability could only be exploited if the Guest account on 
the local machine was disabled, but the Guest account on a trusted 
domain was enabled. By default, the Guest account is disabled. 


Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin
   http://www.microsoft.com/technet/security/bulletin/ms01-031.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - Guardent (www.guardent.com) for reporting the two privilege 
   elevation vulnerabilities and one of the denial of service 
   vulnerabilities. 

 - Richard Reiner of Securexpert (www.securexpert.com) for reporting 
   one of the denial of service vulnerabilities. 

 - Bindview's Razor Team (razor.bindview.com) for reporting one of
  the denial of service vulnerabilities. 

 - Peter Grundl for reporting one of the denial of service 
   vulnerabilities. 

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED 
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF 
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT 
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES 
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, 
LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT
CORPORATION 
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH 
DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF 
LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING 
LIMITATION MAY NOT APPLY.

[******  End Microsoft Bulletin ******]





_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft Corporation for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

L-082: Cisco IOS BGP Attribute Corruption Vulnerability
L-083: Microsoft CGI Filename Decode Error Vulnerability in IIS
L-084: Red Hat Samba Package /tmp Race Condition 
L-085: Cisco Content Service Switch FTP Vulnerability
L-086: Cisco Multiple Vulnerabilities in CBOS
L-087: Microsoft Internet Explorer Flaws in Certificate Validation
L-088: Cisco IOS Reload after Scanning Vulnerability
L-089: Windows Unchecked Buffer in Media Player .ASX Processor
L-090: Cisco 11000 Series Switch, Web Management Vulnerability
L-091: Microsoft Exchange Server Outlook Web Access Flaw


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH