__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Predictable Name Pipes In Telnet June 11, 2001 18:00 GMT Number L-092 ______________________________________________________________________________ PROBLEM: The Microsoft Telnet service has seven vulnerabilities in operational usage. These vulnerabilities exist due to the manner in which telnet is started and corollary procedures. PLATFORM: Windows 2000 DAMAGE: Two vulnerabilities, through the misuse of initialization pipes, allow a malicious party to elevate their privileges. Four vulnerabilities allow the potential of denial of service (DoS) attacks. A final vulnerability can cause exposure of Guest accounts on the server. For all vulnerabilities the mitigating factor is that the malicious party must have local access capability. SOLUTION: Apply the patch provided by Microsoft. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. This information has been made publicly ASSESSMENT: available. Additionally, there is a wide range of vulnerabilities affecting the telnet service. ______________________________________________________________________________ [****** Begin Microsoft Bulletin ******] - --------------------------------------------------------------------- Title: Predictable Name Pipes Could Enable Privilege Elevation via Telnet Date: 07 June 2001 Software: Windows 2000 Impact: Privilege elevation, denial of service, information disclosure Bulletin: MS01-031 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-031.asp. - --------------------------------------------------------------------- Issue: ====== This bulletin discusses a total of seven vulnerabilities affecting the Windows 2000 Telnet service. The vulnerabilities fall into three broad categories: privilege elevation, denial of service and information disclosure. Two of the vulnerabilities could allow privilege elevation, and have their roots in flaws related to the way Telnet sessions are created. When a new Telnet session is established, the service creates a named pipe, and runs any code associated with it as part of the initialization process. However, the pipe's name is predictable, and if Telnet finds an existing pipe with that name, it simply uses it. An attacker who had the ability to load and run code on the server could create the pipe and associate a program with it, and the Telnet service would run the code in Local System context when it stablished the next Telnet session. Four of the vulnerabilities could allow denial of service attacks. None of these vulnerabilities have anything in common with each other. - One occurs because it is possible to prevent Telnet from terminating idle sessions; by creating a sufficient number of such sessions, an attacker could deny sessions to any other user. - One occurs because of a handle leak when a Telnet session is terminated in a certain way. By repeatedly starting sessions and then terminating them, an attacker could deplete the supply of handles on the server to point where it could no longer perform useful work. - One occurs because a logon command containing a particular malformation causes an access violation in the Telnet service. - One occurs because a system call can be made using only normal user privileges, which has the effect of terminating a Telnet session. The final vulnerability is an information disclosure vulnerability that could make it easier for an attacker to find Guest accounts exposed via the Telnet server. It has exactly the same cause, scope and effect as a vulnerability affecting FTP and discussed in Microsoft Security Bulletin MS01-026. Mitigating Factors: ==================== Privilege elevation vulnerabilities: - Because the attacker would need the ability to load and run code on the Telnet server, it is likely that these vulnerabilities could only be exploited by an attacker who had the ability to run code locally on the Telnet Server. - Administrative privileges are needed to start the Telnet service, so the attacker could only exploit the vulnerability if Telnet were already started on the machine. Denial of service vulnerabilities: - It would not be necessary to reboot the server to recover from any of these vulnerabilities. At worst, the Telnet service would need to be restarted. - None of these vulnerabilities could be used to gain additional privileges on the machine; they are denial of service vulnerabilities only. Information disclosure vulnerability: - The vulnerability could only be exploited if the Guest account on the local machine was disabled, but the Guest account on a trusted domain was enabled. By default, the Guest account is disabled. Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin http://www.microsoft.com/technet/security/bulletin/ms01-031.asp for information on obtaining this patch. Acknowledgment: =============== - Guardent (www.guardent.com) for reporting the two privilege elevation vulnerabilities and one of the denial of service vulnerabilities. - Richard Reiner of Securexpert (www.securexpert.com) for reporting one of the denial of service vulnerabilities. - Bindview's Razor Team (razor.bindview.com) for reporting one of the denial of service vulnerabilities. - Peter Grundl for reporting one of the denial of service vulnerabilities. - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. [****** End Microsoft Bulletin ******] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft Corporation for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Center, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) L-082: Cisco IOS BGP Attribute Corruption Vulnerability L-083: Microsoft CGI Filename Decode Error Vulnerability in IIS L-084: Red Hat Samba Package /tmp Race Condition L-085: Cisco Content Service Switch FTP Vulnerability L-086: Cisco Multiple Vulnerabilities in CBOS L-087: Microsoft Internet Explorer Flaws in Certificate Validation L-088: Cisco IOS Reload after Scanning Vulnerability L-089: Windows Unchecked Buffer in Media Player .ASX Processor L-090: Cisco 11000 Series Switch, Web Management Vulnerability L-091: Microsoft Exchange Server Outlook Web Access Flaw