exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ms01-031

ms01-031
Posted Jun 8, 2001

Microsoft Security Advisory MS01-031 - This bulletin discusses seven new vulnerabilities affecting the Windows 2000 Telnet service. The vulnerabilities fall into three broad categories: privilege elevation, denial of service and information disclosure. Two of the vulnerabilities allow privilege elevation and four are denial of service attacks. Microsoft FAQ on this issue available here.

tags | denial of service, vulnerability, info disclosure
systems | windows
SHA-256 | 275cc644551b34ab079ae421747cbb602e4ba75e134167b2c0b19294f3a910b9

ms01-031

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----

- ---------------------------------------------------------------------
Title: Predictable Name Pipes Could Enable Privilege Elevation
via Telnet
Date: 07 June 2001
Software: Windows 2000
Impact: Privilege elevation, denial of service,
information disclosure
Bulletin: MS01-031

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-031.asp.
- ---------------------------------------------------------------------


Issue:
======
This bulletin discusses a total of seven vulnerabilities affecting
the Windows 2000 Telnet service. The vulnerabilities fall into three
broad categories: privilege elevation, denial of service and
information disclosure.

Two of the vulnerabilities could allow privilege elevation, and have
their roots in flaws related to the way Telnet sessions are created.
When a new Telnet session is established, the service creates a named
pipe, and runs any code associated with it as part of the
initialization process. However, the pipe's name is predictable, and
if Telnet finds an existing pipe with that name, it simply uses it.
An attacker who had the ability to load and run code on the server
could create the pipe and associate a program with it, and the Telnet
service would run the code in Local System context when it stablished
the next Telnet session.

Four of the vulnerabilities could allow denial of service attacks.
None of these vulnerabilities have anything in common with each
other.


- One occurs because it is possible to prevent Telnet from
terminating idle sessions; by creating a sufficient number of such
sessions, an attacker could deny sessions to any other user.

- One occurs because of a handle leak when a Telnet session is
terminated in a certain way. By repeatedly starting sessions and then
terminating them, an attacker could deplete the supply of handles on
the server to point where it could no longer perform useful work.

- One occurs because a logon command containing a particular
malformation causes an access violation in the Telnet service.

- One occurs because a system call can be made using only normal
user privileges, which has the effect of terminating a Telnet
session.

The final vulnerability is an information disclosure vulnerability
that could make it easier for an attacker to find Guest accounts
exposed via the Telnet server. It has exactly the same cause, scope
and effect as a vulnerability affecting FTP and discussed in
Microsoft Security Bulletin MS01-026.

Mitigating Factors:
====================
Privilege elevation vulnerabilities:

- Because the attacker would need the ability to load and run code
on the Telnet server, it is likely that these vulnerabilities could
only be exploited by an attacker who had the ability to run code
locally on the Telnet Server.

- Administrative privileges are needed to start the Telnet service,
so the attacker could only exploit the vulnerability if Telnet were
already started on the machine.

Denial of service vulnerabilities:

- It would not be necessary to reboot the server to recover from any
of these vulnerabilities. At worst, the Telnet service would need to
be restarted.

- None of these vulnerabilities could be used to gain additional
privileges on the machine; they are denial of service vulnerabilities
only.

Information disclosure vulnerability:

- The vulnerability could only be exploited if the Guest account on
the local machine was disabled, but the Guest account on a trusted
domain was enabled. By default, the Guest account is disabled.


Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms01-031.asp
for information on obtaining this patch.

Acknowledgment:
===============
- Guardent (www.guardent.com) for reporting the two privilege
elevation vulnerabilities and one of the denial of service
vulnerabilities.

- Richard Reiner of Securexpert (www.securexpert.com) for reporting
one of the denial of service vulnerabilities.

- Bindview's Razor Team (razor.bindview.com) for reporting one of
the denial of service vulnerabilities.

- Peter Grundl for reporting one of the denial of service
vulnerabilities.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT
CORPORATION
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF
LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBOyBAKY0ZSRQxA/UrAQEEmwf/QyxJr/941IwmJXDHuGR12/j/qY93V+nK
Xtp+RDNC9m5+VbjrXTrtZIECQYQDlLXskH7wSl1QtWsH4XrXgpY0sEf/dMtA6KqH
7UsCbsS983cxm1viq7sOk45qT1YeRh0iGARFersQXR/60uAcT84G21i1iidnchm3
tvuT33TZ+KqKq+yYMhffJ8++jxZxGr7GvpwbtNVibWGrmXyVrrd2AwS+1vHGf6rP
WVWiiwxrU1GHh0doPxR2i+whvs5Gs6SWV9pEeA67Ohk9Pu08/0puwuQtjLPvHsX7
fTRHf03xVuayEscwb25OyPgF5nsvpqTqzBbOwva9yDyterffoIlYlA==
=Gprb
-----END PGP SIGNATURE-----

*******************************************************************
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service. You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.

To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.

For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/technet/security/notify.asp. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close