[NT] Unchecked Buffer in Remote Access Service Phonebook Could Lead to Code Execution

From: support@securiteam.com
Date: 06/16/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 16 Jun 2002 08:19:00 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Unchecked Buffer in Remote Access Service Phonebook Could Lead to Code
Execution
------------------------------------------------------------------------

SUMMARY

The Remote Access Service (RAS) provides dial-up connections between
computers and networks over phone lines. RAS is delivered as a native
system service in Windows NT 4.0, Windows 2000 and Windows XP, and also is
included in a separately downloadable Routing and Remote Access Server
(RRAS) for Windows NT 4.0. All of these implementations include a RAS
phonebook, which is used to store information about telephone numbers,
security, and network settings used to dial-up remote systems.

A flaw exists in the RAS phonebook implementation: a phonebook value is
not properly checked, and is susceptible to a buffer overrun. The overrun
could be exploited for either of two purposes: causing a system failure,
or running code on the system with LocalSystem privileges. If an attacker
were able to log onto an affected server and modify a phonebook entry
using an especially malformed data, then made a connection using the
modified phonebook entry, the especially malformed data could be run as
code by the system.

DETAILS

Affected Software:
 * Microsoft Windows NT 4.0
 * Microsoft Windows NT 4.0 Terminal Server Edition
 * Microsoft Windows 2000
 * Microsoft Windows XP
 * Microsoft Routing and Remote Access Server, which can be installed on
Windows NT 4.0 Service Pack 6 or NT 4.0 Terminal Server Edition Service
Pack 6.

Mitigating factors:
 * The vulnerability could only be exploited by an attacker who had the
appropriate credentials to log onto an affected system.

 * Best practices suggests that unprivileged users not be allowed to
interactively log onto business-critical servers. If this recommendation
has been followed machines such as domain controllers, ERP servers, print
and file servers, database servers, and others would not be at risk from
this vulnerability.

Patch availability:
Download locations for this patch
 * Microsoft Windows NT 4.0:
    
<http://www.microsoft.com/ntserver/nts/downloads/security/q318138/default.asp> http://www.microsoft.com/ntserver/nts/downloads/security/q318138/default.asp
 * Microsoft Windows NT 4.0 running RRAS (English Only):
    
<http://www.microsoft.com/ntserver/nts/downloads/security/q318138/default.asp> http://www.microsoft.com/ntserver/nts/downloads/security/q318138/default.asp
 * Microsoft Windows NT 4.0 Terminal Server Edition:
    
<http://www.microsoft.com/ntserver/terminalserver/downloads/security/q318138/default.asp> http://www.microsoft.com/ntserver/terminalserver/downloads/security/q318138/default.asp
 * Microsoft Windows NT 4.0 Terminal Server Edition running RRAS (English
Only):
    
<http://www.microsoft.com/ntserver/terminalserver/downloads/security/q318138/default.asp> http://www.microsoft.com/ntserver/terminalserver/downloads/security/q318138/default.asp
 * Microsoft Windows 2000:
    
<http://www.microsoft.com/windows2000/downloads/security/q318138/default.asp> http://www.microsoft.com/windows2000/downloads/security/q318138/default.asp
 * Microsoft Windows XP:
    <http://www.microsoft.com/downloads/release.asp?ReleaseID=38833>
http://www.microsoft.com/downloads/release.asp?ReleaseID=38833
 * Microsoft Windows XP 64-bit Edition:
    <http://www.microsoft.com/downloads/release.asp?ReleaseID=39011>
http://www.microsoft.com/downloads/release.asp?ReleaseID=39011

What's the scope of the vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully
exploited this vulnerability could gain complete control over the machine,
thereby gaining the ability to take any desired action on the machine,
such as adding, deleting, or modifying data on the system, creating or
deleting user accounts, and adding accounts to the local administrators
group.

The vulnerability could only be exploited by an attacker who had
credentials to log onto the computer where the RAS phonebook is held. Best
practices suggest that unprivileged users not be allowed to interactively
log onto business-critical servers; if this guidance has been followed,
such servers would not be at risk from this vulnerability.

What causes the vulnerability?
The vulnerability results because of an unchecked buffer in the Remote
Access Service Phonebook. By creating an especially malformed phonebook
entry, it could be possible to conduct a buffer overrun attack against an
affected system.

What is the Remote Access Service?
The Remote Access Service lets users connect to a remote computer over
phone lines, so they can work as if their system were physically connected
to the remote network. These services enable remote users to do activities
such as send and receive e-mail, fax documents, retrieve files, and print
documents on an office printer.

The Remote Access Service is a native service in Windows NT 4.0, Windows
2000 and XP. In addition, a separately downloadable Routing and Remote
Access Service (RRAS, also known as Steelhead) is available for Windows NT
4.0 and Windows NT 4.0 Terminal Server Edition, and it also includes a RAS
implementation.

What is the Remote Access Service Phonebook?
The RAS phonebook is used to keep information that describes sites that
can be connected to using dial-up networking via RAS. A phonebook entry
contains information about the dial-up phone number, security, and network
settings.

For example, if we were to create a phonebook entry for "Office computer",
we might say that the phone number for the remote computer is "555-1837",
and that the PPP protocol should be used to dial the computer. We might
also specify the TCP/IP address for our computer and that the default
gateway should be used.

What's wrong with the RAS phonebook?
There is an unchecked buffer in the code that reads the RAS phonebook
entries.

What would this vulnerability enable an attacker to do?
The attacker could use this vulnerability for either of two purposes:
 * Privilege elevation on the system. By overrunning the buffer with
carefully selected data, it would be possible for the attacker to run code
in the context of the LocalSystem account, that is, as the operating
system itself.
 * Denial of service. By overrunning the buffer with random data, the
attacker could cause services or the server itself to fail.

How might an attacker exploit the vulnerability?
The attacker could logon to the computer that holds the RAS phonebook and
then modify an entry in the phonebook with an especially malformed data.
The attacker could then logout, and logon using the modified dial-up
entry. The RAS system would read the modified dial-up entry from the
phonebook and the malformed data would be used.

Alternately, the attacker could modify and existing phonebook entry and
then wait for another user to attempt to connect to a remote computer
using the modified dial-up entry.

Who could exploit the vulnerability?
Anyone who could log onto the system interactively. Best practices suggest
that unprivileged users not be allowed to interactively log onto
business-critical servers. If best practices are followed, then it is
workstations and terminal servers that would chiefly be at risk.

I use Windows NT 4.0, and I see that there are two patches for it. Which
should I apply?
If you have installed RRAS on Windows NT 4.0 you should apply the RRAS
version of this fix. If you haven't applied RRAS on Windows NT 4.0 then
you should apply the standard RAS fix. The same is true for RRAS on
Windows NT 4.0 Terminal Server Edition.

I don't know whether RRAS is installed on my system. How can I tell?
To see if RRAS is installed on Windows NT 4.0, go to Network Neighborhood
and select the Services tab from Properties. If the "Routing and Remote
Access Service" is listed then RRAS has been installed.

What does the patch do?
The patch eliminates the vulnerability by instituting proper input
checking on the RAS phonebook entries.

ADDITIONAL INFORMATION

The information has been provided by <mailto:secnotif@MICROSOFT.COM>
Microsoft Product Security.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages