[NT] Authentication Flaw in Microsoft Metadirectory Services Could Allow Privilege Elevation

From: support@securiteam.com
Date: 07/25/02


From: support@securiteam.com
To: list@securiteam.com
Date: Thu, 25 Jul 2002 13:27:57 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Authentication Flaw in Microsoft Metadirectory Services Could Allow
Privilege Elevation
------------------------------------------------------------------------

SUMMARY

Microsoft Metadirectory Services (MMS) is a centralized Metadirectory
service that provides connectivity, management, and interoperability
functions to help unify fragmented directory and database environments. It
enables enterprises to link together disparate data repositories such as
Exchange directory, Active Directory, third-party directory services, and
proprietary databases, for ensuring that the data in each is consistent,
accurate, and can be centrally managed

A flaw exists that could enable an unprivileged user to access and
manipulate data within MMS that should, by design, only be accessible to
MMS administrators. Specifically, it is possible for an unprivileged user
to connect to the MMS data repository via an LDAP client in such a way as
to bypass certain security checks. This could enable an attacker to modify
data within the MMS data repository, for the purpose of either changing
the MMS configuration or replicating bogus data to the other data
repositories.

DETAILS

Affected Software:
 * Microsoft Metadirectory Services 2.2

Mitigating factors:
 * If normal security practices have been followed, the vulnerability
could not be exploited from the Internet.
 * The vulnerability could only be exploited by an attacker who had
significant technical expertise at a protocol level. The vulnerability
does not provide access to MMS itself, but rather to the MMS data
repository. Determining what data to change - and how to change it - in
order to cause a desired effect could be quite difficult
 * A successful attack would require a detailed understanding of the
specific way MMS had been configured, as well as information about all of
the other directories and database it was being used to manage. It is
likely that the vulnerability could only be exploited by an attacker who
had insider knowledge about the enterprise.

Patch availability:
Download locations for this patch
 * Microsoft Metadirectory Services 2.2 Service Pack 1:
<http://download.microsoft.com/download/mms22/Patch/Q317138/NT5/EN-US/Q317138.EXE> http://download.microsoft.com/download/mms22/Patch/Q317138/NT5/EN-US/Q317138.EXE

What's the scope of the vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully
exploited this vulnerability could, under a very daunting set of
circumstances, gain the ability to modify business-critical data that
could then be replicated to data repositories throughout an enterprise.

The vulnerability would likely be quite difficult to exploit. It would
require great technical sophistication on the part of the attacker, as the
vulnerability provides only access to low-level data structures. In
addition, the attacker would almost certainly need insider knowledge of
how various databases and directories throughout the enterprise were
configured and used.

What causes the vulnerability?
The vulnerability results because MMS logon credentials are not correctly
verified when an LDAP client accesses MMS under certain circumstances.

What is MMS?
Microsoft Metadirectory Services is a Metadirectory service - that is, a
directory that is used to manage other directories and data sources. In
many companies, business-critical data is held in a variety of data
sources. For instance, a company might have users' email information
stored within the Exchange directory, account information stored within
Active Directory, and personnel information stored within a custom
database. MMS provides a way to link all of those data sources together,
manage them centrally, and ensure that the data in them is always
synchronized.

How widely is MMS used?
MMS is not a commonly deployed system. It typically is deployed only
within enterprises that have a large number of heterogeneous data sources
that require integration and centralized management.

What's wrong with MMS?
The problem lies in the way MMS regulates access to its data repository.
All connections to the repository should be checked to ensure that the
person making the connection has the proper credentials to perform the
actions they are performing. However, it is possible to connect to the
repository in an unusual way that has the effect of bypassing the check.

What's the MMS data repository?
MMS needs to store two different types of data locally. First, it needs to
store configuration information for MMS itself, such as administrator
userids and passwords. Second, depending upon the specific deployment
scenario, it may need to store data that is not found in any of the other
directories or databases - that is, MMS may need to act as a directory in
its own right, and ensure that the data in that directory is kept
consistent with the data in the other directories and databases.

What could this vulnerability enable an attacker to do?
The vulnerability could enable an attacker to modify data in the MMS data
repository. A successful attack could allow the attacker to, for instance,
reset the MMS administrator password, and then subsequently log directly
onto MMS as an administrator. It also could enable the attacker to create
data that would be replicated to the other data sources.

However, exploiting the vulnerability would be quite difficult. Because
the vulnerability provides access to the underlying data structures rather
than MMS itself, the attacker would need to possess a great deal of
technical knowledge about how MMS works at a protocol level. In addition,
the specific layout of the data repository is unique for every deployment,
so the attacker would need insider knowledge about the particular MMS
deployment.

Who could exploit the vulnerability?
The vulnerability could be exploited by an attacker who could create a
connection to the MMS system, and had both a detailed understanding of how
to manipulate the MMS data repository at a protocol level and significant
information about the specific MMS deployment.

Could the vulnerability be exploited via the Internet?
If normal firewalling precautions had been observed (specifically, if port
389 were blocked), users on the Internet would not be able to create a
connection, and thus could not exploit the vulnerability.

What does the patch do?
The patch eliminates the vulnerability by instituting proper credential
checking against accesses made to the MMS data repository.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:0_34267_E51E4D7D-DECD-43AE-9A29-36080E8D4C3C_US@Newsletters.Microsoft.com> Microsoft Product Security.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.