SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Telnet Vendors:   Microsoft
(CIAC Issues Bulletin L-092) Re: Microsoft Windows 2000 Telnet Server Allows Local Users to Gain System-Level Privileges and Lets Remote Users Crash the Server
SecurityTracker Alert ID:  1001726
SecurityTracker URL:  http://securitytracker.com/id/1001726
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 11 2001
Impact:   Denial of service via local system, Denial of service via network, Disclosure of system information, Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Microsoft has reported seven vulnerabilities with the Windows 2000 Telnet service. The vulnerabilities allow local users to gain system-level privileges on the server, let remote users crash the Telnet server, lets local users terminate Telnet sessions, and may disclose information to remote users.

Two of the vulnerabilities are due to the improper processing of server-side named pipes, allowing a local user to predict the pipe's name such that when the Telnet server attempts to create that named pipe, it will instead find the pipe to already exist and will simply use the pipe. Code associated with the pipe will then be executed in the Local System context by the Telnet server when it establishes the next Telnet session.

The denial of service vulnerabilities are due to:

1) Failure of the Telnet server to terminate idle sessions, allowing a remote user open a large number of sessions to consume all resources.
2) A handle leak that occurs when Telnet sessions are repeatedly started and then terminated, allowing a remote user to deplete the supply of handles on the server.
3) A specific malformed logon command that causes an access violation in the Telnet service.
4) A system call that can be made by a user with normal user privileges that can terminate a Telnet session.

The information disclosure vulnerability is due to the way in which the server will automatically search all trusted domains for a matching userid if a userid is specified in a particular way. This could make it easier for a remote user to locate Guest accounts that may be exposed via the Telnet server.

Impact:   A local user can gain system-level privileges on the server. A remote user can crash the Telnet server. A local user can terminate Telnet sessions. A remote user may obtain information about accounts on the server.
Solution:   The vendor has released a fix. See the Vendor URL for the vendor's advisory that describes how to obtain the patch.
Vendor URL:  www.microsoft.com/technet/security/bulletin/MS01-031.asp (Links to External Site)
Cause:   Access control error, Exception handling error, Randomization error, Resource error, State error
Underlying OS:  Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
Jun 8 2001 Microsoft Windows 2000 Telnet Server Allows Local Users to Gain System-Level Privileges and Lets Remote Users Crash the Server



 Source Message Contents

Subject:  CIAC Bulletin L-092 Microsoft Predictable Name Pipes In Telnet


[ For Public Release ]
-----BEGIN PGP SIGNED MESSAGE-----

             __________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                   Microsoft Predictable Name Pipes In Telnet

June 11, 2001 18:00 GMT                                           Number L-092
______________________________________________________________________________
PROBLEM:       The Microsoft Telnet service has seven vulnerabilities in 
               operational usage. These vulnerabilities exist due to the manner 
               in which telnet is started and corollary procedures. 
PLATFORM:      Windows 2000 
DAMAGE:        Two vulnerabilities, through the misuse of initialization pipes, 
               allow a malicious party to elevate their privileges. Four 
               vulnerabilities allow the potential of denial of service (DoS) 
               attacks. A final vulnerability can cause exposure of Guest 
               accounts on the server. For all vulnerabilities the mitigating 
               factor is that the malicious party must have local access 
               capability. 
SOLUTION:      Apply the patch provided by Microsoft. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. This information has been made publicly 
ASSESSMENT:    available. Additionally, there is a wide range of 
               vulnerabilities affecting the telnet service 
______________________________________________________________________________

[******  Begin Microsoft Bulletin ******]

http://www.ciac.org/ciac/bulletins/l-092.shtml

[******  End Microsoft Bulletin ******]

-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAwUBOyVIfLnzJzdsy3QZAQECMwQA8WAnrZiwwSLsx4nub1fXS60Cr2U2m89A
+kj780xh0MRdyuWL46SWuMikIAQTwLZOa0FnVkO55w6+6uFx2TbD3FhMU5uQ9UBM
/nzOHWIxTogHGu4jdXsyw6y9Lkp/2z1jjilKsGBXlGwDhyo3wcT77KiTdImUHu1P
HzEoS2UbIV4=
=MQZ+
-----END PGP SIGNATURE-----

-+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+
This message was posted through the FIRST mailing list server.  If you
wish to unsubscribe from this mailing list, send the message body of
"unsubscribe first-info" to first-majordomo@FIRST.ORG
-+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC