(CIAC Issues Bulletin L-092) Re: Microsoft Windows 2000 Telnet Server Allows Local Users to Gain System-Level Privileges and Lets Remote Users Crash the Server
SecurityTracker Alert ID: 1001726|
SecurityTracker URL: http://securitytracker.com/id/1001726
(Links to External Site)
Date: Jun 11 2001
Denial of service via local system, Denial of service via network, Disclosure of system information, Execution of arbitrary code via local system, Root access via local system|
Fix Available: Yes Vendor Confirmed: Yes |
Microsoft has reported seven vulnerabilities with the Windows 2000 Telnet service. The vulnerabilities allow local users to gain system-level privileges on the server, let remote users crash the Telnet server, lets local users terminate Telnet sessions, and may disclose information to remote users.|
Two of the vulnerabilities are due to the improper processing of server-side named pipes, allowing a local user to predict the pipe's name such that when the Telnet server attempts to create that named pipe, it will instead find the pipe to already exist and will simply use the pipe. Code associated with the pipe will then be executed in the Local System context by the Telnet server when it establishes the next Telnet session.
The denial of service vulnerabilities are due to:
1) Failure of the Telnet server to terminate idle sessions, allowing a remote user open a large number of sessions to consume all resources.
2) A handle leak that occurs when Telnet sessions are repeatedly started and then terminated, allowing a remote user to deplete the supply of handles on the server.
3) A specific malformed logon command that causes an access violation in the Telnet service.
4) A system call that can be made by a user with normal user privileges that can terminate a Telnet session.
The information disclosure vulnerability is due to the way in which the server will automatically search all trusted domains for a matching userid if a userid is specified in a particular way. This could make it easier for a remote user to locate Guest accounts that may be exposed via the Telnet server.
A local user can gain system-level privileges on the server. A remote user can crash the Telnet server. A local user can terminate Telnet sessions. A remote user may obtain information about accounts on the server.|
The vendor has released a fix. See the Vendor URL for the vendor's advisory that describes how to obtain the patch.|
Vendor URL: www.microsoft.com/technet/security/bulletin/MS01-031.asp (Links to External Site)
Access control error, Exception handling error, Randomization error, Resource error, State error|
|Underlying OS: Windows (2000)|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: CIAC Bulletin L-092 Microsoft Predictable Name Pipes In Telnet|
[ For Public Release ]
-----BEGIN PGP SIGNED MESSAGE-----
The U.S. Department of Energy
Computer Incident Advisory Center
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
Microsoft Predictable Name Pipes In Telnet
June 11, 2001 18:00 GMT Number L-092
PROBLEM: The Microsoft Telnet service has seven vulnerabilities in
operational usage. These vulnerabilities exist due to the manner
in which telnet is started and corollary procedures.
PLATFORM: Windows 2000
DAMAGE: Two vulnerabilities, through the misuse of initialization pipes,
allow a malicious party to elevate their privileges. Four
vulnerabilities allow the potential of denial of service (DoS)
attacks. A final vulnerability can cause exposure of Guest
accounts on the server. For all vulnerabilities the mitigating
factor is that the malicious party must have local access
SOLUTION: Apply the patch provided by Microsoft.
VULNERABILITY The risk is MEDIUM. This information has been made publicly
ASSESSMENT: available. Additionally, there is a wide range of
vulnerabilities affecting the telnet service
[****** Begin Microsoft Bulletin ******]
[****** End Microsoft Bulletin ******]
-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
-----END PGP SIGNATURE-----
This message was posted through the FIRST mailing list server. If you
wish to unsubscribe from this mailing list, send the message body of
"unsubscribe first-info" to first-majordomo@FIRST.ORG