[NT] Flaw in Network Connection Manager Could Enable Privilege Elevation

From: support@securiteam.com
Date: 08/18/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 18 Aug 2002 13:03:08 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Flaw in Network Connection Manager Could Enable Privilege Elevation
------------------------------------------------------------------------

SUMMARY

The Network Connection Manager (NCM) provides a controlling mechanism for
all network connections managed by a host system. Among the functions of
the NCM is to call a handler routine whenever a network connection has
been established.

By design, this handler routine should run in the security context of the
user. However, a flaw could make it possible for an unprivileged user to
cause the handler routine to run in the security context of LocalSystem,
though a very complex process. An attacker who exploited this flaw could
specify code of his or her choice as the handler, and then establish a
network connection in order to cause that code to be invoked by the NCM.
The code would then run with full system privileges.

DETAILS

Affected Software:
 * Microsoft Windows 2000

Mitigating factors:
 * The vulnerability could only be exploited by an attacker who had the
appropriate credentials to log onto an affected system interactively. Best
practices suggest that unprivileged users not be allowed to interactively
log onto business-critical servers. If this recommendation has been
followed, machines such as domain controllers, ERP servers, print and file
servers, database servers, and others would not be at risk from this
vulnerability.

Patch availability:
Download locations for this patch
 * Microsoft Windows 2000:
    <http://www.microsoft.com/downloads/Release.asp?ReleaseID=41406>
http://www.microsoft.com/downloads/Release.asp?ReleaseID=41406

What's the scope of the vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully
exploited this vulnerability could gain complete control over the machine,
thereby gaining the ability to take any desired action on the machine,
such as adding, deleting, or modifying data on the system, creating or
deleting user accounts, and adding accounts to the local administrators
group.

The vulnerability could only be exploited by an attacker who had
credentials to log onto the computer interactively. Best practices suggest
that unprivileged users not be allowed to interactively log onto
business-critical servers; if this guidance has been followed, such
servers would not be at risk from this vulnerability.

What causes the vulnerability?
The vulnerability results because it is possible for an unprivileged user
to configure the handler routine used by the Network Connection Manager
(NCM) when a new network connection is established.

What is the NCM?
The NCM is an operating system component in Windows 2000 that provides a
means of controlling a system's network connections, such as those seen in
the Network and Dial-Up Connections folder. When a user makes a new net
network connection, such as through the dial-up networking wizard, the NCM
actually processes the request to make the connection.

What's wrong with the NCM?
Among the functions the NCM performs is to call a handler routine whenever
a network connection is established. A default routine is provided as part
of Windows 2000, but custom handlers also can be specified. By design,
these handlers should run in the same security context as the user.
However, it is possible for a user to cause a handler to run in the
LocalSystem security context.

Why does this pose a security vulnerability?
When the NCM calls the handler routine, it confers upon it the privileges
of the NCM itself - LocalSystem. This means that an unprivileged user who
exploited the vulnerability would be able to make software of his or her
choice run with System privileges on the system.

What would this vulnerability enable an attacker to do?
An attacker who successfully exploited the vulnerability would gain
complete control over the system, and be able to take any desired action
on it.

How might an attacker exploit the vulnerability?
The attacker would need the ability to log onto the system interactively,
because the handler routine must reside on the local system and the needed
configuration changes require local access as well. Once the attacker had
installed the new handler routine, he or she would create a network
connection in order to cause the NCM to call it. The result would be that
the attacker's handler routine would run with full privileges on the
system.

What types of systems are chiefly at risk from the vulnerability?
Any system running Windows 2000 is conceivably affected by the
vulnerability, but it is likely that Windows 2000 workstations and
terminal servers would be at greatest risk. This is because such systems
typically are configured to allow unprivileged users to log onto them
interactively. In contrast, unprivileged users are typically not allowed
to log onto servers interactively, and in such cases, these systems would
be at less risk.

How difficult would it be to exploit the vulnerability?
Exploiting the vulnerability would be an extremely difficult task,
requiring significant technical expertise.

How was the vulnerability discovered?
The vulnerability was discovered as part of a Microsoft security review.

How does the patch address the vulnerability?
The patch ensures that administrative privileges are required to specify a
custom handler for the NCM.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:0_35310_E51E4D7D-DECD-43AE-9A29-36080E8D4C3C_US@Newsletters.Microsoft.com> Microsoft Product Security.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages