[NT] Unchecked Buffer in Telnet Server Could Lead to Arbitrary Code Execution
From: support@securiteam.comDate: 02/13/02
- Previous message: support@securiteam.com: "[UNIX] EasyBoard 2000 Remote Buffer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 13 Feb 2002 08:30:35 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Unchecked Buffer in Telnet Server Could Lead to Arbitrary Code Execution
------------------------------------------------------------------------
SUMMARY
The Telnet protocol provides remote shell capabilities. Microsoft has
implemented the Telnet protocol by providing a Telnet Server in several
products. The implementations in two of these products - Windows 2000 and
Interix 2.2 - contain unchecked buffers in the code that handles the
processing of telnet protocol options.
An attacker could use this vulnerability to perform a buffer overflow
attack. A successful attack could cause the Telnet Server to fail, or in
some cases, could possibly allow an attacker to execute code of her choice
on the system. Such code would execute using the security context of the
Telnet service, but this context varies from product to product. In
Windows 2000, the Telnet service always runs as System; in the Interix
implementation, the administrator selects the security context in which to
run as part of the installation process.
DETAILS
Affected software:
* Telnet Service in Microsoft Windows 2000
* Telnet Daemon in Microsoft Interix 2.2
Patch availability:
Download locations for this patch
* Telnet Service in Microsoft Windows 2000:
* The single patch for this issue is available at:
<http://www.microsoft.com/windows2000/downloads/security/q307298/default.asp> http://www.microsoft.com/windows2000/downloads/security/q307298/default.asp
* In addition, the fix for this issue is included in Windows 2000
Security Roll-up Package 1
Microsoft Interix 2.2:
<http://www.microsoft.com/downloads/release.asp?ReleaseID=35969>
http://www.microsoft.com/downloads/release.asp?ReleaseID=35969
Mitigating factors:
* While the Telnet Service in Windows 2000 is installed by default, it is
not running by default. As a result, a Windows 2000 system would only be
vulnerable if the administrator had started the service.
* Remotely exploiting this vulnerability would require the attacker to
have the ability to connect to the Telnet Server. Best practices
recommends against allowing Telnet access on uncontrolled networks.
* The Telnet Daemon in Interix 2.2 is not installed by default when
Interix 2.2 is installed. An administrator would have to choose to install
and configure this feature.
* The Telnet Daemon in Interix does not specify a security context by
default. The administrator specifies the security context when they
configure or run the daemon. Best practices recommend that the Telnet
Daemon run in a context of least privilege, meaning that it have only
those rights necessary and no more.
What's the scope of the vulnerability?
This is a buffer overflow vulnerability that affects two Microsoft
products: the Telnet Service in Windows 2000 and the Telnet Daemon
(telnetD) in Microsoft Interix 2.2. By sending a specially malformed
request to the telnet server, an attacker could produce either of two
results. In the simpler case, this could cause the telnet server to fail.
In the more complex case, this could allow an attacker to execute code of
their choice on the system.
Best practices recommend very strongly that Telnet should only be used on
a fully trusted network. Telnet should not be used across the Internet and
Telnet connections should be blocked at the corporate firewall. Neither
Windows 2000 nor Interix are affected by by this vulnerability under
default conditions.
What causes the vulnerability?
The vulnerability results because of an unchecked buffer in a part of code
that handles the Telnet protocol options. By submitting a malformed
packet, a malicious user could overrun the buffer.
What's Telnet?
Telnet is an industry standard protocol that allows a user to establish a
remote terminal session on a telnet server. Because this is a terminal
session, there is only a command-line interface. Telnet is mainly used for
simple remote administration via the command prompt.
Several Microsoft products contain implementations of the Telnet protocol.
However, the vulnerability at issue here affects only two of these
implementations - the ones in Microsoft Interix and Windows 2000.
What's Microsoft Interix?
Microsoft Interix is a product that allows customers to run UNIX
application on a Windows system. Providing this capability expand support
for UNIX applications, daemons, and scripts by provides an enhanced UNIX
environmental subsystem beyond the standard POSIX subsystem in Windows
2000. It allows customers to run UNIX applications, daemons, and scripts
on Windows NT and Windows 2000.
What's a daemon?
In UNIX, a networking service like Telnet is called a daemon. Often, the
actual program for the service is named with a "-d" at the end, to
indicate that it is a daemon.
Because the Telnet server in Interix is actually a UNIX program rather
than a Win-32 program, it's referred to as a daemon for accuracy. In this
case, the program in question is /bin/telnetd and /usr/sbin/in.telnetd.
What could an attacker do with this vulnerability?
An attacker could attempt to overrun the buffer with a large quantity of
data. If an attacker supplied a large enough quantity of random data, she
could cause the Telnet server to fail. If the attacker supplied carefully
crafted data, she could cause code of her choosing to run in the Telnet
server's process space.
If an attacker successfully loaded malicious code, what security context
would it execute in?
The code would run in the same context as the Telnet Service. The specific
context depends on the product.
For the Windows 2000 Telnet Service, the code would execute within the
SYSTEM context. This would allow the attacker to execute commands with the
same privileges as the operating system. This means the code could take
any action, including reformatting the hard drive, spawning a remote
command shell with SYSTEM privileges, installing programs, or shutting
down the system.
For the Telnet Daemon in Interix, the context in which the code executes
depends on choices made by the administrator when configuring telnetD. The
administrator specifics the context in which telnetD operates when
starting telnetD or configuring it to start automatically. Any code loaded
by a successful exploit of this vulnerability would thus execute in the
context in which the administrator decided to run telnetD. For example, if
telnetD were configured to run in the SYSTEM context, then malicious code
would execute in that context and be able to act as part of the operating
system. Alternately, if the administrator configured telnetD to run in the
context of a specially limited account, malicious code would execute only
within that context.
How could an attacker mount an attack by using this vulnerability?
An attacker could attempt to mount an attack against this vulnerability by
sending malformed packets to the Telnet Service. Anyone who could connect
to the Telnet Service could potentially be able to attempt to exploit this
vulnerability.
Could an attacker exploit this vulnerability across the Internet?
If a Telnet server were accessible across the Internet, an attacker could
use this vulnerability to attempt an attack on the server. However, most
corporate firewalls block Telnet access at the firewall as a best
practice. In addition, most companies prohibit Telnet in their DMZ as a
best practice. These steps would eliminate exposure to this vulnerability
on the Internet.
What does the patch do?
The patch eliminates the vulnerability by instituting proper checking of
data input.
Who should apply the patch?
Any one who is running the Windows 2000 Telnet Service or the Telnet
Daemon (telnetD) of Interix.
I'm using the Telnet Server in Services for UNIX 2.0, do I need to apply
the patch?
No, the Telnet Server in Services for UNIX 2.0 does not contain this flaw.
I have the Telnet Service for Windows 2000 installed, but not running,
should I apply the patch?
If you have Telnet installed but are not using the service, you should
first consider removing the service as a best practice. If you are not
going to remove the service, you should apply the patch.
I'm running Windows 2000 Professional, am I vulnerable?
The Telnet Service for Windows 2000 is installed, but not running by
default on Windows 2000 Professional. Customers running Windows 2000
Professional should apply the patch to protect themselves if the service
is enabled.
ADDITIONAL INFORMATION
The information has been provided by <mailto:secure at MICROSOFT.COM>
Microsoft Security Response Center and <mailto:steve@frij.com.au> Steve.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] EasyBoard 2000 Remote Buffer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
