Microsoft Security Bulletin MS02-029

From: Jerry Bryant [MS] (jbryant@online.microsoft.com)
Date: 06/13/02

• Next message: Alain Remont: "Re: EFS"
• Previous message: Karsty: "Re: administrator account"
• Next in thread: Bruce Chambers: "Re: Microsoft Security Bulletin MS02-029"
• Reply: Bruce Chambers: "Re: Microsoft Security Bulletin MS02-029"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Jerry Bryant [MS]" <jbryant@online.microsoft.com>
Date: Wed, 12 Jun 2002 16:22:14 -0700

Title: Unchecked Buffer in Remote Access Service Phonebook Could

Lead to Code Execution (Q318138)

Date: 12 June 2002

Software: Windows NT 4.0, NT 4.0 Terminal Server Edition, 2000, XP,

Routing and Remote Access Server (RRAS)

Impact: Local Privilege Escalation

Max Risk: Critical

Bulletin: MS02-029

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-029.asp.

- ----------------------------------------------------------------------

Issue:

======

The Remote Access Service (RAS) provides dial-up connections between

computers and networks over phone lines. RAS is delivered as a native system
service in Windows NT 4.0, Windows 2000 and Windows XP, and

also is included in a separately downloadable Routing and Remote

Access Server (RRAS) for Windows NT 4.0. All of these implementations
include a RAS phonebook, which is used to store information about

telephone numbers, security, and network settings used to dial-up

remote systems.

A flaw exists in the RAS phonebook implementation: a phonebook value

is not properly checked, and is susceptible to a buffer overrun. The

overrun could be exploited for either of two purposes: causing a

system failure, or running code on the system with LocalSystem

privileges. If an attacker were able to log onto an affected server and
modify a phonebook entry using specially malformed data, then

made a connection using the modified phonebook entry, the specially

malformed data could be run as code by the system.

Mitigating Factors:

====================

- The vulnerability could only be exploited by an attacker who had

the appropriate credentials to log onto an affected system.

- Best practices suggests that unprivileged users not be allowed to

interactively log onto business-critical servers. If this

recommendation has been followed machines such as domain

controllers, ERP servers, print and file servers, database

servers, and others would not be at risk from this vulnerability.

Risk Rating:

============

- Internet systems: Low

- Intranet systems: Critical

- Client systems: Moderate

Patch Availability:

===================

- A patch is available to fix this vulnerability. Please read the

Security Bulletin at

http://www.microsoft.com/technet/security/bulletin/ms02-029.asp

for information on obtaining this patch.

Acknowledgment:

===============

- David Litchfield of Next Generation Security Software Ltd.

(http://www.nextgenss.com/)

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.

--
Regards,
Jerry Bryant - MCSE, MCDBA
Microsoft IT Communities
Get Secure! www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

---

• Next message: Alain Remont: "Re: EFS"
• Previous message: Karsty: "Re: administrator account"
• Next in thread: Bruce Chambers: "Re: Microsoft Security Bulletin MS02-029"
• Reply: Bruce Chambers: "Re: Microsoft Security Bulletin MS02-029"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Microsoft Security Bulletin MS02-029 ... Unchecked Buffer in Remote Access Service Phonebook Could ... interactively log onto business-critical servers. ... THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" ... (microsoft.public.win2000.security) Re: Microsoft Security Bulletin MS02-029 ... Unchecked Buffer in Remote Access Service Phonebook Could ... > Microsoft encourages customers to review the Security Bulletin at: ... > interactively log onto business-critical servers. ... > THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS ... (microsoft.public.windowsxp.security_admin) Re: Microsoft Security Bulletin MS02-029 ... Unchecked Buffer in Remote Access Service Phonebook Could ... > Microsoft encourages customers to review the Security Bulletin at: ... > interactively log onto business-critical servers. ... > THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS ... (microsoft.public.win2000.security) RE: [fw-wiz] Using RDP Port 3389 ... So, if you must have remote access to your servers, my recommendation ... If VPN is not an option, ... There are also other methods of remote access. ... you have something insecure or even weakly secured tunneling with IPSec, ... (Firewall-Wizards) Help: routing and remote access. ... I am attempting to connect to sites with routing and remote access. ... Users can vpn into the network and all is stable. ... Now I am looking to build a trust relation between the two servers but I ... (microsoft.public.windows.server.networking)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)