Microsoft Security Bulletin MS02-029 - Unchecked Buffer in Remote Access Service Phonebook Could Lead to Code Execution. A flaw exists in the RAS phonebook implementation: a phonebook value is not properly checked, and is susceptible to a buffer overrun. The overrun could be exploited for either of two purposes: causing a system failure, or running code on the system with LocalSystem privileges. If an attacker were able to log onto an affected server and modify a phonebook entry using specially malformed data, then made a connection using the modified phonebook entry, the specially malformed data could be run as code by the system.
a26971b2daeda8478163409faa9a87202f60946cc23dfe234f384666389736ae TechNet Home > Security > Bulletins
Microsoft Security Bulletin MS02-029
[Print] Print
Unchecked Buffer in Remote Access Service Phonebook Could Lead to Code Execution (Q318138)
Originally posted: June 12, 2002
Updated: July 2, 2002 (Version 2.0)
Summary
Who should read this bulletin: Customers using Microsoft® Windows NT®, Windows® 2000
and Windows XP.
Impact of vulnerability: Local privilege elevation.
Maximum Severity Rating: Critical
Recommendation: Administrators should apply the patch to immediately to machines that
allow unprivileged users to log onto them interactively such as workstations and
Terminal Servers.
Affected Software:
* Microsoft Windows NT 4.0
* Microsoft Windows NT 4.0 Terminal Server Edition
* Microsoft Windows 2000
* Microsoft Windows XP
* Microsoft Routing and Remote Access Server, which can be installed on Windows NT
4.0 Service Pack 6 or NT 4.0 Terminal Server Edition Service Pack 6.
Technical details
Technical description:
On June 12, 2002, Microsoft released the original version of this bulletin. On July 2,
2002, the bulletin was updated to reflect the availability of a revised patch. Although
the original patch completely eliminated the vulnerability, it had the side effect of
preventing non-administrative users from making VPN connections in some cases. The
revised patch correctly handles VPN connections. The revised patch is immediately
available from the Download Center and will be soon made available via WindowsUpdate.
The Remote Access Service (RAS) provides dial-up connections between computers and
networks over phone lines. RAS is delivered as a native system service in Windows NT
4.0, Windows 2000 and Windows XP, and also is included in a separately downloadable
Routing and Remote Access Server (RRAS) for Windows NT 4.0. All of these
implementations include a RAS phonebook, which is used to store information about
telephone numbers, security, and network settings used to dial-up remote systems.
A flaw exists in the RAS phonebook implementation: a phonebook value is not properly
checked, and is susceptible to a buffer overrun. The overrun could be exploited for
either of two purposes: causing a system failure, or running code on the system with
LocalSystem privileges. If an attacker were able to log onto an affected server and
modify a phonebook entry using specially malformed data, then made a connection using
the modified phonebook entry, the specially malformed data could be run as code by the
system.
Mitigating factors:
* The vulnerability could only be exploited by an attacker who had the appropriate
credentials to log onto an affected system.
* Best practices suggests that unprivileged users not be allowed to interactively
log onto business-critical servers. If this recommendation has been followed
machines such as domain controllers, ERP servers, print and file servers, database
servers, and others would not be at risk from this vulnerability.
Severity Rating:
Internet Intranet
Servers Servers Client Systems
Windows NT 4.0 Low Low Moderate
Windows NT 4.0 Routing and Remote Access
Server Low Low Moderate
Windows NT 4 Terminal Server Edition Low Critical None
Windows NT 4 Terminal Server Edition,
Routing and Remote Access Server Low Critical None
Windows 2000 Low Critical Moderate
Windows XP Low Low Moderate
The above assessment is based on the types of systems affected by the vulnerability,
their typical deployment patterns, and the effect that exploiting the vulnerability
would have on them. The attacker must have credentials to logon to the computer where
the RAS phonebook is held.
Vulnerability identifier: CAN-2002-0366
Tested Versions:
Microsoft tested Windows NT4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000,
and Windows XP to assess whether they are affected by this vulnerability. Previous
versions are no longer supported, and may or may not be affected by these
vulnerabilities.
Frequently asked questions
Why was this bulletin updated?
On July 2, 2002, we updated this bulletin to advise customers of the availability of a
revised patch. The original patch completely eliminate the vulnerability, but it also
introduced a bug that could have the effect of requiring administrative privileges in
order to establish a Virtual Private Network (VPN) connection.
Microsoft has updated the patch to eliminate the bug. Customers who applied the
original patch should consider applying the new one if the bug described above affects
them. Customers who did not apply the original patch should apply the new one. The
revised patch is immediately available from the Download Center and will be soon made
available via WindowsUpdate.
What’s the scope of the vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully exploited
this vulnerability could gain complete control over the machine, thereby gaining the
ability to take any desired action on the machine, such as adding, deleting, or
modifying data on the system, creating or deleting user accounts, and adding accounts
to the local administrators group.
The vulnerability could only be exploited by an attacker who had credentials to log
onto the computer where the RAS phonebook is held. Best practices suggest that
unprivileged users not be allowed to interactively log onto business-critical servers;
if this guidance has been followed, such servers would not be at risk from this
vulnerability.
What causes the vulnerability?
The vulnerability results because of an unchecked buffer in the Remote Access Service
Phonebook. By creating a specially malformed phonebook entry, it could be possible to
conduct a buffer overrun attack against an affected system.
What is the Remote Access Service?
The Remote Access Service lets users connect to a remote computer over phone lines, so
they can work as if their system were physically connected to the remote network. These
services enable remote users to do activities such as send and receive e-mail, fax
documents, retrieve files, and print documents on an office printer.
The Remote Access Service is a native service in Windows NT 4.0, Windows 2000 and XP.
In addition, a separately downloadable Routing and Remote Access Service (RRAS, also
known as Steelhead) is available for Windows NT 4.0 and Windows NT 4.0 Terminal Server
Edition, and it also includes a RAS implementation.
What is the Remote Access Service Phonebook?
The RAS phonebook is used to keep information that describes sites that can be
connected to using dial-up networking via RAS. A phonebook entry contains information
about the dial-up phone number, security, and network settings.
For example, if we were to create a phonebook entry for “Office computer”, we might say
that the phone number for the remote computer is “555-1837”, and that the PPP protocol
should be used to dial the computer. We might also specify the TCP/IP address for our
computer and that the default gateway should be used.
What’s wrong with the RAS phonebook?
There is an unchecked buffer in the code that reads the RAS phonebook entries.
What would this vulnerability enable an attacker to do?
The attacker could use this vulnerability for either of two purposes:
* Privilege elevation on the system. By overrunning the buffer with carefully
selected data, it would be possible for the attacker to run code in the context of
the LocalSystem account, that is, as the operating system itself.
* Denial of service. By overrunning the buffer with random data, the attacker could
cause services or the server itself to fail.
How might an attacker exploit the vulnerability?
The attacker could logon to the computer that holds the RAS phonebook and then modify
an entry in the phonebook with specially malformed data. The attacker could then
logout, and logon using the modified dial-up entry. The RAS system would read the
modified dial-up entry from the phonebook and the malformed data would be used.
Alternately, the attacker could modify and existing phonebook entry and then wait for
another user to attempt to connect to a remote computer using the modified dial-up
entry.
Who could exploit the vulnerability?
Anyone who could log onto the system interactively. Best practices suggest that
unprivileged users not be allowed to interactively log onto business-critical servers.
If best practices are followed, then it is workstations and terminal servers that would
chiefly be at risk.
I use Windows NT 4.0, and I see that there are two patches for it. Which should I
apply?
If you have installed RRAS on Windows NT 4.0 you should apply the RRAS version of this
fix. If you haven't applied RRAS on Windows NT 4.0 then you should apply the standard
RAS fix. The same is true for RRAS on Windows NT 4.0 Terminal Server Edition.
I don’t know whether RRAS is installed on my system. How can I tell?
To see if RRAS is installed on Windows NT 4.0, go to Network Neighborhood and select
the Services tab from Properties. If the “Routing and Remote Access Service” is listed
then RRAS has been installed.
What does the patch do?
The patch eliminates the vulnerability by instituting proper input checking on the RAS
phonebook entries.
Patch availability
Download locations for this patch
* Microsoft Windows NT 4.0:
http://www.microsoft.com/ntserver/nts/downloads/security/q318138/default.asp
* Microsoft Windows NT 4.0 running RRAS (English Only):
http://www.microsoft.com/ntserver/nts/downloads/security/q318138/default.asp
* Microsoft Windows NT 4.0 Terminal Server Edition:
http://www.microsoft.com/ntserver/terminalserver/downloads/security/q318138/default.asp
* Microsoft Windows NT 4.0 Terminal Server Edition running RRAS (English Only):
http://www.microsoft.com/ntserver/terminalserver/downloads/security/q318138/default.asp
* Microsoft Windows 2000:
http://www.microsoft.com/windows2000/downloads/security/q318138/default.asp
* Microsoft Windows XP:
http://www.microsoft.com/downloads/release.asp?ReleaseID=38833
* Microsoft Windows XP 64-bit Edition:
http://www.microsoft.com/downloads/release.asp?ReleaseID=39011
Additional information about this patch
Installation platforms:
* The Windows NT 4.0 patch can be installed on systems running Service Pack 6a.
* The Windows Routing and Remote Access Server patch can be installed on systems
running Windows NT 4.0 Service Pack 6a (English only).
* The Windows NT 4.0 Terminal Server Edition patch can be installed on systems
running Windows NT 4.0 Terminal Server Edition Service Pack 6.
* The Windows NT 4.0 Terminal Server Edition, Routing and Remote Access Server patch
can be installed on systems running Windows NT 4.0 Terminal Server Edition Service
Pack 6.
* The Windows 2000 patch can be installed on systems running Windows 2000 Service
Pack 1 or Windows 2000 Service Pack 2.
* The patch for Windows XP can be installed on systems running Windows XP Gold.
Inclusion in future service packs:
* The fix for this issue will be included in Windows 2000 Service Pack 3.
* The fix for this issue will be included in Windows XP Service Pack 1.
Reboot needed: Yes
Superseded patches: None.
Verifying patch installation:
Windows NT 4.0 Service Pack 6a:
* To verify that the patch has been installed on the machine, confirm that the
following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q318138
* To verify the individual files, consult the file manifest in Knowledge Base
article Q318138.
Windows NT 4.0 Terminal Server Edition Service Pack 6:
* To verify that the patch has been installed on the machine, confirm that the
following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q318138
* To verify the individual files, consult the file manifest in Knowledge Base
article Q318138.
Windows 2000 Service Pack 2:
* To verify that the patch has been installed on the machine, confirm that the
following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q318138
* To verify the individual files, use the date/time and version information provided
in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q318138\Filelist
Windows XP:
* To verify that the patch has been installed, confirm that the following registry
key has been created on the machine:
HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q318138
* To verify the individual files, use the date/time and version information provided
in the following registry key: HKLM\Software\Microsoft\Updates\Windows
XP\SP1\Q318138\Filelist
Caveats:
None
Localization:
Localized versions of this patch are currently available at the locations listed above
in "Patch Availability".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
* Security patches are available from the Microsoft Download Center, and can be most
easily found by doing a keyword search for "security_patch".
* Patches for consumer platforms are available from the WindowsUpdate web site
* All patches available via WindowsUpdate also are available in a redistributable
form from the WindowsUpdate Corporate site.
Other information:
Acknowledgments
Microsoft thanks Mark Litchfield of Next Generation Security Software Ltd. for
reporting this issue to us and working with us to protect customers.
Support:
* Microsoft Knowledge Base article Q318138 discusses this issue and will be
available approximately 24 hours after the release of this bulletin. Knowledge
Base articles can be found on the Microsoft Online Support web site.
* Technical support is available from Microsoft Product Support Services. There is
no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional
information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without
warranty of any kind. Microsoft disclaims all warranties, either express or implied,
including the warranties of merchantability and fitness for a particular purpose. In no
event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits or
special damages, even if Microsoft Corporation or its suppliers have been advised of
the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may
not apply.
Revisions:
* V1.0 (June 12, 2002): Bulletin Created.
* V1.1 (June 20, 2002): Caveats section updated to include information regarding an
issue with the patch and VPN connections.
* V1.2 (July 1, 2002): Caveats section updated to clarify that the patch has been
removed from WindowsUpdate.
* V2.0 (July 2, 2002): Updated with revised patch that correctly handles VPN
connections.
Contact Us | E-mail this Page | TechNet Newsletter
© 2002 Microsoft Corporation. All rights reserved. Terms of Use Privacy Statement Accessibility
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed