Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: ciacl101.txt

Microsoft LDAP Over SSL Password Vulnerability





             __________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                 Microsoft LDAP Over SSL Password Vulnerability
                     [Microsoft Security Bulletin MS01-036]

June 26, 2001 01:00 GMT                                           Number L-101
______________________________________________________________________________
PROBLEM:       An LDAP function fails to check the permissions of a requester
	       when the directory principal=domain user and data 
	       attribute=domain password. If the LDAP server is configured to 
	       support LDAP over SSL sessions, any user who can establish a 
	       connection to the LDAP server can exploit this vulnerability.
PLATFORM:      Windows 2000. This only affects those servers configured with
 	       LDAP over SSL, not default configurations.
DAMAGE:        This is an elevation of privileges vulnerability. Potentially,
 	       the worst case scenario is an attacker establishes a connection,
 	       changes the Administrator password, and accesses the 
 	       Administrator account. Then he has control of the system.
SOLUTION:      Apply the patch prescribed by Microsoft.
______________________________________________________________________________
VULNERABILITY  MEDIUM to HIGH, depending on system and network configuration.
ASSESSMENT:    Mitigating factors include blocking port 636 at a firewall.
______________________________________________________________________________

[******  Start Microsoft Advisory ******]

- ----------------------------------------------------------------------
Title:      Function Exposed via LDAP over SSL Could Enable 
            Passwords to be Changed
Date:       25 June 2001
Software:   Windows 2000
Impact:     Privilege Elevation
Bulletin:   MS01-036

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS01-036.asp.
- ----------------------------------------------------------------------

Issue:
======
This vulnerability involves an LDAP function that is only available
if the LDAP server has been configured to support LDAP over SSL
sessions, and whose purpose is to allow users to change the data attributes of 
directory principals. By design, the function should check the 
authorizations of the user before completing the request; however, it
contains an error that manifests itself only when the directory 
principal is a domain user and the data attribute is the domain 
password -- when this is the case, the function fails to check the 
permissions of the requester, with the result that it could be
possible for a user to change any other user's domain login password. 

An attacker could change another user's password for either of two 
purposes: to cause a denial of service by preventing the other user 
from logging on, or in order to log into the user's account and gain 
any privileges the user had. Clearly, the most serious case would be 
one in which the attacker changed a domain administrator's password
and logged into the administrator's account. 

By design, the function affected can be called by any user who can 
connect to the LDAP server, including users who connect via anonymous
sessions. As a result, any user who could establish a connection with
an affected server could exploit the vulnerability. 

Mitigating Factors:
====================
 - LDAP over SSL sessions cannot be conducted unless the 
   administrator has installed a digital certificate on the LDAP
   server. As a result, default installations of Windows 2000
   are not affected by this vulnerability. 
 - If the firewall is configured to block tcp port 636, the
   vulnerability could not be exploited by outside users. 
 - This vulnerability could not be used to change the password 
   of local user accounts on individual machines. 

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin
   http://www.microsoft.com/technet/security/bulletin/ms01-036.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - Jon McDonald (http://www.entrigue.net)  
 - Russ Cooper (http://www.ntbugtraq.com)

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED 
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF 
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES 
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
NOT APPLY.

[******  End Microsoft Advisory ******]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft for the
information contained in this bulletin.
_______________________________________________________________________________

CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

L-091: Microsoft Exchange Server Outlook Web Access Flaw
L-092: Microsoft Predictable Name Pipes In Telnet
L-093: HP-UX kmmodreg Vulnerability
L-094: BIND Inadvertent Local Exposure of HMAC-MD5 (TSIG) Keys
L-095: Microsoft SQL Query Method Vulnerability
L-096: Red Hat LPRng Vulnerability
L-097: Cisco 6400 NRP2 telnet Vulnerability
L-098: Microsoft Index Server ISAPI Extension Buffer Overflow
L-099: SGI PCP Pmpost Symlink Vulnerability
L-100: FrontPage Sub-Component Vulnerability



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH