[NT] Vulnerabilities in Windows Kernel and LSASS Allows Elevation of Privilege (MS04-044)
From: SecuriTeam (support_at_securiteam.com)
Date: 12/15/04
- Previous message: SecuriTeam: "[NT] Vulnerability in WINS Allows Remote Code Execution (MS04-045, Name Validation, Association Context)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 15 Dec 2004 17:05:59 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Vulnerabilities in Windows Kernel and LSASS Allows Elevation of Privilege
(MS04-044)
------------------------------------------------------------------------
SUMMARY
This update resolves several newly-discovered, privately reported
vulnerabilities. An attacker who successfully exploited the most severe of
these vulnerabilities could take complete control of an affected system,
including installing programs; viewing, changing, or deleting data; or
creating new accounts that have full privileges.
DETAILS
Affected Software:
* Microsoft Windows NT Server 4.0 Service Pack 6a -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=325EAA8F-AF09-4839-B9E8-BB218C7A8564> Download the update
* Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
-
<http://www.microsoft.com/downloads/details.aspx?FamilyId=9823A61F-C69F-403A-BD6A-EF3984BFA2B8> Download the update
* Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000
Service Pack 4 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=EFDEA122-DDA4-40B8-A7AF-9DDCC3870C38> Download the update
* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service
Pack 2 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=27115D5C-3E4A-4F41-B81E-376AA1CD204F> Download the update
* Microsoft Windows XP 64-Bit Edition Service Pack 1 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=1649AE1E-0ABF-4D31-BE12-3982C5146AE8> Download the update
* Microsoft Windows XP 64-Bit Edition Version 2003 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=95849AB9-36BF-4A90-BC37-3B4FB6DCDF9A> Download the update
* Microsoft Windows Server 2003 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=AACB97CB-E8F0-461F-B2D2-F1065229B64E> Download the update
* Microsoft Windows Server 2003 64-Bit Edition -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=95849AB9-36BF-4A90-BC37-3B4FB6DCDF9A> Download the update
Non-Affected Software:
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME)
Windows Kernel Vulnerability:
A privilege elevation vulnerability exists in the way that the Windows
Kernel launches applications. This vulnerability could allow a logged on
user to take complete control of the system.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0893>
CAN-2004-0893
Mitigating Factors for Windows Kernel Vulnerability:
* An attacker must have valid logon credentials and be able to log on
locally to exploit this vulnerability. The vulnerability could not be
exploited remotely or by anonymous users.
* Attempts to exploit this vulnerability on systems that are running
Windows XP Service Pack 2 or Windows Server 2003 would most likely result
in a denial of service condition.
FAQ for Windows Kernel Vulnerability:
What is the scope of the vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully
exploited this vulnerability could take complete control of an affected
system, including installing programs; viewing, changing, or deleting
data; or creating new accounts that have full privileges. To attempt to
exploit the vulnerability, an attacker must be able to log on locally to
the system and run a program.
What causes the vulnerability?
An unchecked buffer in a Local Procedure Call (LPC) interface does not
validate the restriction that is put on the size of data that is sent
through an LPC Port.
What is LPC?
LPC is a message-passing service that is provided by Windows. This service
allows threads and processes to communicate with each other. When a client
process must request a service from a server process, there must be a way
for the two processes to communicate with each other. There must be a way
for the client process to make requests of the server, for the server to
send responses to the client, and for each to determine their status. When
the client process and the server process are located on different
systems, Remote Procedure Call (RPC) is used. When they are located on the
same system, LPC can be used.
What are LPC Ports?
Every LPC has a collection of communications channels that are known as
LPC ports. Each port carries one type of communication. For example, an
LPC will always have a port that is used to allow one client to send
messages to the server and a port that allows the server to send messages
to each client. The LPC will also have other ports for other purposes,
such as ports that allow threads within a process to coordinate their
requests.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of an affected system, including installing programs;
viewing, changing, or deleting data; or creating new accounts that have
full privileges.
Who could exploit the vulnerability?
To exploit the vulnerability, an attacker must be able to log on locally
to a system and run a program.
How could an attacker exploit this vulnerability?
To exploit this vulnerability, an attacker would first have to log on to
the system. An attacker could then run a specially-designed application
that could exploit the vulnerability, and thereby gain complete control
over the affected system.
What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers are only
at risk if users who do not have sufficient administrative credentials are
given the ability to log on to servers and to run programs. However, best
practices strongly discourage allowing this.
Could the vulnerability be exploited over the Internet?
No. An attacker must be able to log on to the specific system that is
targeted for attack. An attacker cannot load and run a program remotely by
using this vulnerability.
What does the update do?
The update removes the vulnerability by modifying the way that the Windows
Kernel validates the length of a message before it passes the message to
the allocated buffer.
When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure. Microsoft had not received any information to
indicate that this vulnerability had been publicly disclosed when this
security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.
LSASS Vulnerability:
A privilege elevation vulnerability exists in the way that the LSASS
validates identity tokens. This vulnerability could allow a logged on user
to take complete control of the system.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0894>
CAN-2004-0894
Mitigating Factors for LSASS Vulnerability:
* An attacker must have valid logon credentials and be able to log on
locally to exploit this vulnerability. The vulnerability could not be
exploited remotely or by anonymous users. However, as soon as an attacker
had complete control of an affected system an attacker may be able to use
that system to attack other network resources.
* Windows NT 4.0 Server is not affected by this vulnerability.
FAQ for LSASS Vulnerability:
What is the scope of the vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully
exploited this vulnerability could take complete control of an affected
system, including installing programs; viewing, changing, or deleting
data; or creating new accounts that have full privileges. To attempt to
exploit the vulnerability, an attacker must be able to log on locally to
the system and run a program.
What causes the vulnerability?
Incomplete validation of connection information by the Local Security
Authority Subsystem Service.
What is LSASS?
The Local Security Authority Subsystem Service (LSASS) provides an
interface for managing local security, domain authentication, and Active
Directory service processes. It handles authentication for the client and
for the server. The LSASS also contains features that are used to support
Active Directory utilities.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of an affected system, including installing programs;
viewing, changing, or deleting data; or creating new accounts that have
full privileges.
Who could exploit the vulnerability?
To exploit the vulnerability, an attacker must be able to log on locally
to a system and run a program.
How could an attacker exploit this vulnerability?
To exploit this vulnerability, an attacker would first have to log on to
the system. An attacker could then run a specially-designed application
that could exploit the vulnerability, and thereby gain complete control
over the affected system. As soon as an attacker had complete control of
an affected system, an attacker may be able to use that system to attack
other network resources.
What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers are only
at risk if users who do not have sufficient administrative credentials are
given the ability to log on to servers and to run programs. However, best
practices strongly discourage allowing this.
Could the vulnerability be exploited over the Internet?
No. An attacker must be able to log on to the specific system that is
targeted for attack. An attacker cannot load and run a program remotely by
using this vulnerability.
What does the update do?
The update removes the vulnerability by modifying the way that LSASS
validates connection information.
When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure. Microsoft had not received any information
indicating that this vulnerability had been publicly disclosed when this
security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information indicating that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.
ADDITIONAL INFORMATION
The information has been provided by Microsoft Product Security.
The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx>
http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Vulnerability in WINS Allows Remote Code Execution (MS04-045, Name Validation, Association Context)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
