Alert: Microsoft Security Bulletin - MS02-029

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 06/13/02

Date:         Wed, 12 Jun 2002 18:00:19 -0400
From: Russ <Russ.Cooper@RC.ON.CA>

Unchecked Buffer in Remote Access Service Phonebook Could Lead to Code Execution (Q318138)

Originally posted: June 12, 2002


Who should read this bulletin: Customers using Microsoft® Windows NT®, Windows® 2000 and Windows XP.

Impact of vulnerability: Local privilege elevation.

Maximum Severity Rating: Critical

Recommendation: Administrators should apply the patch to immediately to machines that allow unprivileged users to log onto them interactively such as workstations and Terminal Servers.

Affected Software:
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0 Terminal Server Edition
- Microsoft Windows 2000
- Microsoft Windows XP
- Microsoft Routing and Remote Access Server, which can be installed on Windows NT 4.0 Service Pack 6 or NT 4.0 Terminal Server Edition Service Pack 6.

Technical description:

The Remote Access Service (RAS) provides dial-up connections between computers and networks over phone lines. RAS is delivered as a native system service in Windows NT 4.0, Windows 2000 and Windows XP, and also is included in a separately downloadable Routing and Remote Access Server (RRAS) for Windows NT 4.0. All of these implementations include a RAS phonebook, which is used to store information about telephone numbers, security, and network settings used to dial-up remote systems.

A flaw exists in the RAS phonebook implementation: a phonebook value is not properly checked, and is susceptible to a buffer overrun. The overrun could be exploited for either of two purposes: causing a system failure, or running code on the system with LocalSystem privileges. If an attacker were able to log onto an affected server and modify a phonebook entry using specially malformed data, then made a connection using the modified phonebook entry, the specially malformed data could be run as code by the system.

Mitigating factors:
- The vulnerability could only be exploited by an attacker who had the appropriate credentials to log onto an affected system.
- Best practices suggests that unprivileged users not be allowed to interactively log onto business-critical servers. If this recommendation has been followed machines such as domain controllers, ERP servers, print and file servers, database servers, and others would not be at risk from this vulnerability.

Vulnerability identifier: CAN-2002-0366

This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]

I can only hope that the information it does contain can be read well enough to serve its purpose.

Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

Relevant Pages

  • SecurityFocus Microsoft Newsletter #71
    ... DaanSystems NewsReactor Password Encoding Vulnerability ... Microsoft Windows NT Inaccurate Login Logging Vulnerability ... Oracle RDBMS Server Default Account Vulnerability ... Avirt Gateway Suite Telnet Proxy Remote SYSTEM Access... ...
  • SecurityFocus Microsoft Newsletter #145
    ... integrated suite of Web application security products, ... Microsoft URLScan Tool Information Disclosure Vulnerability ... BillingExplorer Multiple Remote Client Communication Integrity... ... Microsoft Windows CreateFile API Named Pipe Privilege... ...
  • SecurityFocus Microsoft Newsletter #177
    ... RobotFTP Server Username Buffer Overflow Vulnerability ... Ipswitch IMail Server Remote LDAP Daemon Buffer Overflow Vul... ... Microsoft Windows XP Help And Support Center Interface Spoof... ...
  • SecurityFocus Microsoft Newsletter #135
    ... most recognized corporate security certification track, ... Rinetd Connection List Resizing Denial of Service Vulnerability ... OpenBB Index.PHP Remote SQL Injection Vulnerability ... Microsoft Windows Service Control Manager Race Condition... ...
  • SecurityFocus Microsoft Newsletter #158
    ... Gamespy 3d IRC Client Remote Buffer Overflow Vulnerability ... Microsoft Windows PostThreadMessage() Arbitrary Process Kill... ...