exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ms02-036

ms02-036
Posted Aug 30, 2002
Site microsoft.com

Microsoft Security Bulletin MS02-036 - Authentication Flaw in Microsoft Metadirectory Services Could Allow Privilege Elevation. A flaw exists that could enable an unprivileged user to access and manipulate data within Microsoft Metadirectory Services (MMS) that should, by design, only be accessible to MMS administrators. Specifically, it is possible for an unprivileged user to connect to the MMS data repository via an LDAP client in such a way as to bypass certain security checks. This could enable an attacker to modify data within the MMS data repository, either for the purpose of changing the MMS configuration or replicating bogus data to the other data repositories.

SHA-256 | b1d7451fe6e869edc7b74e470bb51d0435d64cf4b2b2f1ce168b2eea1cb3790c

ms02-036

Change Mirror Download
    TechNet Home >  Security >  Bulletins

Microsoft Security Bulletin MS02-036
[Print] Print

Authentication Flaw in Microsoft Metadirectory Services Could Allow Privilege Elevation
(Q317138)

Originally posted: July 24, 2002

Summary

Who should read this bulletin: System administrators running Microsoft®
Metadirectory Services 2.2

Impact of vulnerability: Elevation of privilege.

Maximum Severity Rating: Moderate

Recommendation: MMS administrators should apply the patch immediately.

Affected Software:

* Microsoft Metadirectory Services 2.2

Technical details

Technical description:

Microsoft Metadirectory Services (MMS) is a centralized metadirectory service
that provides connectivity, management, and interoperability functions to help
unify fragmented directory and database environments. It enables enterprises to
link together disparate data repositories such as Exchange directory, Active
Directory, third-party directory services, and proprietary databases, for the
purpose of ensuring that the data in each is consistent, accurate, and can be
centrally managed

A flaw exists that could enable an unprivileged user to access and manipulate
data within MMS that should, by design, only be accessible to MMS
administrators. Specifically, it is possible for an unprivileged user to connect
to the MMS data repository via an LDAP client in such a way as to bypass certain
security checks. This could enable an attacker to modify data within the MMS
data repository, either for the purpose of changing the MMS configuration or
replicating bogus data to the other data repositories.

Mitigating factors:

* If normal security practices have been followed, the vulnerability could
not be exploited from the Internet.
* The vulnerability could only be exploited by an attacker who had
significant technical expertise at a protocol level. The vulnerability does
not provide access to MMS itself, but rather to the MMS data repository.
Determining what data to change – and how to change it – in order to cause
a desired effect could be quite difficult
* A successful attack would require a detailed understanding of the specific
way MMS had been configured, as well as information about all of the other
directories and database it was being used to manage. It is likely that the
vulnerability could only be exploited by an attacker who had insider
knowledge about the enterprise.

Severity Rating:
Internet Servers Intranet Servers Client Systems

MMS 2.2 Moderate Moderate None
The above assessment is based on the types of systems affected by the
vulnerability, their typical deployment patterns, and the effect that exploiting
the vulnerability would have on them. For an attack to succeed, the attacker
would need to have specific knowledge about the particular MMS configuration and
have an advanced knowledge of MMS.

Vulnerability identifier: CVE-CAN-2002-0697

Tested Versions:
Microsoft tested MMS 2.2 and MMS 2.2 Service Pack 1 to assess whether they are
affected by these vulnerabilities. The previous version, MMS 2.1, is no longer
supported and may or may not be affected by this vulnerability.

Frequently asked questions

What’s the scope of the vulnerability?

This is a privilege elevation vulnerability. An attacker who successfully
exploited this vulnerability could, under a very daunting set of circumstances,
gain the ability to modify business-critical data that could then be replicated
to data repositories throughout an enterprise.

The vulnerability would likely be quite difficult to exploit. It would require
great technical sophistication on the part of the attacker, as the vulnerability
provides only access to low-level data structures. In addition, the attacker
would almost certainly need insider knowledge of how various databases and
directories throughout the enterprise were configured and used.

What causes the vulnerability?

The vulnerability results because MMS logon credentials are not correctly
verified when an LDAP client accesses MMS under certain circumstances.

What is MMS?

Microsoft Metadirectory Services is a metadirectory service – that is, a
directory that’s used to manage other directories and data sources. In many
companies, business-critical data is held in a variety of data sources. For
instance, a company might have users’ email information stored within the
Exchange directory, account information stored within Active Directory, and
personnel information stored within a custom database. MMS provides a way to
link all of those data sources together, manage them centrally, and ensure that
the data in them is always synchronized.

How widely is MMS used?

MMS is not a commonly deployed system. It typically is deployed only within
enterprises that have a large number of heterogeneous data sources that require
integration and centralized management.

What's wrong with MMS?

The problem lies in the way MMS regulates access to its data repository. All
connections to the repository should be checked to ensure that the person making
the connection has the proper credentials to perform the actions they’re
performing. However, it’s possible to connect to the repository in an unusual
way that has the effect of bypassing the check.

What’s the MMS data repository?

MMS needs to store two different types of data locally. First, it needs to store
configuration information for MMS itself, such as administrator userids and
passwords. Second, depending upon the specific deployment scenario, it may need
to store data that isn’t found in any of the other directories or databases –
that is, MMS may need to act as a directory in its own right, and ensure that
the data in that directory is kept consistent with the data in the other
directories and databases.

What could this vulnerability enable an attacker to do?

The vulnerability could enable an attacker to modify data in the MMS data
repository. A successful attack could allow the attacker to, for instance, reset
the MMS administrator password and then subsequently log directly onto MMS as an
administrator. It also could enable the attacker to create data that would be
replicated to the other data sources.

However, exploiting the vulnerability would be quite difficult. Because the
vulnerability provides access to the underlying data structures rather than MMS
itself, the attacker would need to possess a great deal of technical knowledge
about how MMS works at a protocol level. In addition, the specific layout of the
data repository is unique for every deployment, so the attacker would need
insider knowledge about the particular MMS deployment.

Who could exploit the vulnerability?

The vulnerability could be exploited by an attacker who could create a
connection to the MMS system, and had both a detailed understanding of how to
manipulate the MMS data repository at a protocol level and significant
information about the specific MMS deployment.

Could the vulnerability be exploited via the Internet?

If normal firewalling precautions had been observed (specifically, if port 389
were blocked), users on the Internet would not be able to create a connection,
and thus could not exploit the vulnerability.

What does the patch do?

The patch eliminates the vulnerability by instituting proper credential checking
against accesses made to the MMS data repository.

Patch availability

Download locations for this patch

* Microsoft Metadirectory Services 2.2 Service Pack 1:
http://download.microsoft.com/download/mms22/Patch/Q317138/NT5/EN-US/Q317138.EXE

Additional information about this patch

Installation platforms:
This patch can be installed on systems running Microsoft Metadirectory Services
2.2 Service Pack 1.

Inclusion in future service packs:
The fix for this issue will be included in the next version of MMS.

Reboot needed: Yes

Superseded patches: None

Verifying patch installation:

To verify the patch has been installed, do the following:

* When the MMS service is running, an icon appears in the system tray --
double click this icon.
* On the open MMS Server window select "Help", then "About MMS Server" from
the toolbar.
* The About MMS server window will have the version number. If the patch has
been applied, the version will be "MMS Server Version 2.2 SP1, Build
2.2(1300.28)" or higher.

Caveats:
None

Localization:
Microsoft Metadirectory Services is English only, so localized patches are not
required.

Obtaining other security patches:
Patches for other security issues are available from the following locations:

* Security patches are available from the Microsoft Download Center, and can
be most easily found by doing a keyword search for "security_patch".
* Patches for consumer platforms are available from the WindowsUpdate web
site

Other information:

Acknowledgments

Microsoft thanks Pascal Huijbers and Thomas de Klerk of Info Support for
reporting this issue to us and working with us to protect customers.

Support:

* Microsoft Knowledge Base article Q317138 discusses this issue and will be
available approximately 24 hours after the release of this bulletin.
Knowledge Base articles can be found on the Microsoft Online Support web
site.
* Technical support is available from Microsoft Product Support Services.
There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional
information about security in Microsoft products.

Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is"
without warranty of any kind. Microsoft disclaims all warranties, either express
or implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Microsoft Corporation or its suppliers be
liable for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if Microsoft
Corporation or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

* V1.0 (July 24, 2002): Bulletin Created.

Contact Us | E-mail this Page | TechNet Newsletter

© 2002 Microsoft Corporation. All rights reserved. Terms of Use Privacy Statement Accessibility
Login or Register to add favorites

File Archive:

March 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    13 Files
  • 3
    Mar 3rd
    15 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    31 Files
  • 8
    Mar 8th
    16 Files
  • 9
    Mar 9th
    13 Files
  • 10
    Mar 10th
    9 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    10 Files
  • 14
    Mar 14th
    6 Files
  • 15
    Mar 15th
    17 Files
  • 16
    Mar 16th
    22 Files
  • 17
    Mar 17th
    13 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    16 Files
  • 21
    Mar 21st
    13 Files
  • 22
    Mar 22nd
    5 Files
  • 23
    Mar 23rd
    6 Files
  • 24
    Mar 24th
    47 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close