Microsoft Telnet Server for Windows 2000 and for Interix Has a Buffer Overflow That May Let Remote Users Execute Code on the Server with System Level Privileges
SecurityTracker Alert ID: 1003472|
SecurityTracker URL: http://securitytracker.com/id/1003472
(Links to External Site)
Date: Feb 8 2002
Denial of service via network, Execution of arbitrary code via network, Root access via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Microsoft reported a buffer overflow vulnerability in the Telnet server for Windows 2000 and for Microsoft Interix 2.2 (a UNIX emulation product for Windows). A remote user could execute arbitrary code on the server.|
A buffer overflow reportedly exists in the code that handles the processing of telnet protocol options. A remote user could trigger the flaw and cause the Telnet server to crash or could possibly cause arbitrary code to be executed on the server.
The code would run with the privileges of the Telnet server, which is reported to be the System context on Windows 2000. On Microsoft Interix, the privileges depend on how the administrator has configured the system.
Microsoft reports that the Telnet service is not running by default on Windows 2000. On Interix 2.2, the Telnet daemon (telnetd) is reportedly not installed by default.
Microsoft has assigned this vulnerability a "moderate" risk rating for Internet servers, intranet servers, and client systems.
A remote user can cause arbitrary code to be executed on the server. On Windows 2000, this code is executed with System level privileges. A remote user can also cause the Telnet service to crash.|
The vendor has released a fix.|
The patch for Telnet Service in Microsoft Windows 2000 is available at:
It is reported that the fix for this issue is included in Windows 2000 Security Roll-up Package 1
For Microsoft Interix 2.2, the fix is available at:
The patch for Windows 2000 can reportedly be installed on systems running Windows 2000 SP1 or SP2. The patch for Interix 2.2 can reportedly be installed on systems running Microsoft Interix 2.2 Gold.
Microsoft reports that the fix for Windows 2000 fix will be included in Windows 2000 SP3.
This patch supersedes patch MS01-039.
Vendor URL: www.microsoft.com/technet/security/bulletin/MS02-004.asp (Links to External Site)
|Underlying OS: Windows (2000)|
|Underlying OS Comments: Also affects Microsoft Interix 2.2|
Source Message Contents
Subject: Microsoft Security Bulletin MS02-004|
-----BEGIN PGP SIGNED MESSAGE-----
Title: Unchecked Buffer in Telnet Server Could Lead to Arbitrary
Date: 07 February 2002
Software: Telnet Service in Microsoft Windows 2000; Telnet
Daemon in Microsoft Interix 2.2
Impact: Denial of Service; Possibly Run Code of Attacker's Choice
Max Risk: Moderate
Microsoft encourages customers to review the Security Bulletin at:
The Telnet protocol provides remote shell capabilities. Microsoft has
implemented the Telnet protocol by providing a Telnet Server in
several products. The implementations in two of these products
- - - Windows 2000 and Interix 2.2 - contain unchecked buffers in the
code that handles the processing of telnet protocol options.
An attacker could use this vulnerability to perform a buffer
overflow attack. A successful attack could cause the Telnet Server
to fail, or in some cases, could possibly allow an attacker to
execute code of her choice on the system. Such code would execute
using the security context of the Telnet service, but this context
varies from product to product. In Windows 2000, the Telnet service
always runs as System; in the Interix implementation, the
administrator selects the security context in which to run as part
of the installation process.
- While the Telnet Service in Windows 2000 is installed by default,
it is not running by default. As a result, a Windows 2000 system
would only be vulnerable if the administrator had started the
- Remotely exploiting this vulnerability would require the attacker
to have the ability to connect to the Telnet Server. Best
practices recommends against allowing Telnet access on
- The Telnet Daemon in Interix 2.2 is not installed by default when
Interix 2.2 is installed. An administrator would have to choose
to install and configure this feature.
- The Telnet Daemon in Interix does not specify a security context
by default. The administrator specifies the security context when
they configure or run the daemon. Best practices recommend that
the Telnet Daemon run in a context of least privilege, meaning
that it have only those rights necessary and no more.
- Internet systems: Moderate
- Intranet systems: Moderate
- Client systems: Moderate
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
for information on obtaining this patch.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
-----END PGP SIGNATURE-----
You have received this e-mail bulletin as a result of your subscription to the Microsoft Product Security Notification Service.
For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.
To cancel your subscription, click on the following link mailto:1_25284_************************************_US@Newsletters.Microsoft.com?subject=UNSUBSCRIBE
to create an unsubscribe e-mail.
To stop all e-mail newsletters from microsoft.com, click on the following link mailto:2_25284_************************************_US@Newsletters.Microsoft.com?subject=STOPMAIL
to create an unsubscribe e-mail. You can manage all your Microsoft.com communication preferences from http://www.microsoft.com/misc/unsubscribe.htm
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.