Alert: Microsoft Security Bulletin - MS02-042

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 08/15/02 

Date:         Thu, 15 Aug 2002 16:51:07 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

http://www.microsoft.com/technet/security/bulletin/MS02-042.asp

Flaw in Network Connection Manager Could Enable Privilege Elevation (Q326886)

Originally posted: August 14, 2002

Summary

Who should read this bulletin: Customers using Microsoft® Windows® 2000.

Impact of vulnerability: Privilege elevation

Maximum Severity Rating: Critical

Recommendation: Administrators should apply the patch to immediately to machines that allow unprivileged users to log onto them interactively such as workstations and Terminal Servers

Affected Software:
- Microsoft Windows 2000

Technical description:

The Network Connection Manager (NCM) provides a controlling mechanism for all network connections managed by a host system. Among the functions of the NCM is to call a handler routine whenever a network connection has been established.

By design, this handler routine should run in the security context of the user. However, a flaw could make it possible for an unprivileged user to cause the handler routine to run in the security context of LocalSystem, though a very complex process. An attacker who exploited this flaw could specify code of his or her choice as the handler, then establish a network connection in order to cause that code to be invoked by the NCM. The code would then run with full system privileges.

Mitigating factors:
- The vulnerability could only be exploited by an attacker who had the appropriate credentials to log onto an affected system interactively. Best practices suggests that unprivileged users not be allowed to interactively log onto business-critical servers. If this recommendation has been followed, machines such as domain controllers, ERP servers, print and file servers, database servers, and others would not be at risk from this vulnerability.

Vulnerability identifier: CAN-2002-0720

This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]

I can only hope that the information it does contain can be read well enough to serve its purpose.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor