TechNet Home >  Security >  Bulletins

   Microsoft Security Bulletin MS02-036
                                                                             [Print] Print

  Authentication Flaw in Microsoft Metadirectory Services Could Allow Privilege Elevation
  (Q317138)

  Originally posted: July 24, 2002

  Summary

       Who should read this bulletin: System administrators running Microsoft®
       Metadirectory Services 2.2

       Impact of vulnerability: Elevation of privilege.

       Maximum Severity Rating: Moderate

       Recommendation: MMS administrators should apply the patch immediately.

       Affected Software:

          * Microsoft Metadirectory Services 2.2

  Technical details

       Technical description:

       Microsoft Metadirectory Services (MMS) is a centralized metadirectory service
       that provides connectivity, management, and interoperability functions to help
       unify fragmented directory and database environments. It enables enterprises to
       link together disparate data repositories such as Exchange directory, Active
       Directory, third-party directory services, and proprietary databases, for the
       purpose of ensuring that the data in each is consistent, accurate, and can be
       centrally managed

       A flaw exists that could enable an unprivileged user to access and manipulate
       data within MMS that should, by design, only be accessible to MMS
       administrators. Specifically, it is possible for an unprivileged user to connect
       to the MMS data repository via an LDAP client in such a way as to bypass certain
       security checks. This could enable an attacker to modify data within the MMS
       data repository, either for the purpose of changing the MMS configuration or
       replicating bogus data to the other data repositories.

       Mitigating factors:

          * If normal security practices have been followed, the vulnerability could
            not be exploited from the Internet.
          * The vulnerability could only be exploited by an attacker who had
            significant technical expertise at a protocol level. The vulnerability does
            not provide access to MMS itself, but rather to the MMS data repository.
            Determining what data to change – and how to change it – in order to cause
            a desired effect could be quite difficult
          * A successful attack would require a detailed understanding of the specific
            way MMS had been configured, as well as information about all of the other
            directories and database it was being used to manage. It is likely that the
            vulnerability could only be exploited by an attacker who had insider
            knowledge about the enterprise.

       Severity Rating:
                Internet Servers  Intranet Servers Client Systems

        MMS 2.2 Moderate          Moderate         None
       The above assessment is based on the types of systems affected by the
       vulnerability, their typical deployment patterns, and the effect that exploiting
       the vulnerability would have on them. For an attack to succeed, the attacker
       would need to have specific knowledge about the particular MMS configuration and
       have an advanced knowledge of MMS.

       Vulnerability identifier: CVE-CAN-2002-0697

       Tested Versions:
       Microsoft tested MMS 2.2 and MMS 2.2 Service Pack 1 to assess whether they are
       affected by these vulnerabilities. The previous version, MMS 2.1, is no longer
       supported and may or may not be affected by this vulnerability.

  Frequently asked questions

       What’s the scope of the vulnerability?

       This is a privilege elevation vulnerability. An attacker who successfully
       exploited this vulnerability could, under a very daunting set of circumstances,
       gain the ability to modify business-critical data that could then be replicated
       to data repositories throughout an enterprise.

       The vulnerability would likely be quite difficult to exploit. It would require
       great technical sophistication on the part of the attacker, as the vulnerability
       provides only access to low-level data structures. In addition, the attacker
       would almost certainly need insider knowledge of how various databases and
       directories throughout the enterprise were configured and used.

       What causes the vulnerability?

       The vulnerability results because MMS logon credentials are not correctly
       verified when an LDAP client accesses MMS under certain circumstances.

       What is MMS?

       Microsoft Metadirectory Services is a metadirectory service – that is, a
       directory that’s used to manage other directories and data sources. In many
       companies, business-critical data is held in a variety of data sources. For
       instance, a company might have users’ email information stored within the
       Exchange directory, account information stored within Active Directory, and
       personnel information stored within a custom database. MMS provides a way to
       link all of those data sources together, manage them centrally, and ensure that
       the data in them is always synchronized.

       How widely is MMS used?

       MMS is not a commonly deployed system. It typically is deployed only within
       enterprises that have a large number of heterogeneous data sources that require
       integration and centralized management.

       What's wrong with MMS?

       The problem lies in the way MMS regulates access to its data repository. All
       connections to the repository should be checked to ensure that the person making
       the connection has the proper credentials to perform the actions they’re
       performing. However, it’s possible to connect to the repository in an unusual
       way that has the effect of bypassing the check.

       What’s the MMS data repository?

       MMS needs to store two different types of data locally. First, it needs to store
       configuration information for MMS itself, such as administrator userids and
       passwords. Second, depending upon the specific deployment scenario, it may need
       to store data that isn’t found in any of the other directories or databases –
       that is, MMS may need to act as a directory in its own right, and ensure that
       the data in that directory is kept consistent with the data in the other
       directories and databases.

       What could this vulnerability enable an attacker to do?

       The vulnerability could enable an attacker to modify data in the MMS data
       repository. A successful attack could allow the attacker to, for instance, reset
       the MMS administrator password and then subsequently log directly onto MMS as an
       administrator. It also could enable the attacker to create data that would be
       replicated to the other data sources.

       However, exploiting the vulnerability would be quite difficult. Because the
       vulnerability provides access to the underlying data structures rather than MMS
       itself, the attacker would need to possess a great deal of technical knowledge
       about how MMS works at a protocol level. In addition, the specific layout of the
       data repository is unique for every deployment, so the attacker would need
       insider knowledge about the particular MMS deployment.

       Who could exploit the vulnerability?

       The vulnerability could be exploited by an attacker who could create a
       connection to the MMS system, and had both a detailed understanding of how to
       manipulate the MMS data repository at a protocol level and significant
       information about the specific MMS deployment.

       Could the vulnerability be exploited via the Internet?

       If normal firewalling precautions had been observed (specifically, if port 389
       were blocked), users on the Internet would not be able to create a connection,
       and thus could not exploit the vulnerability.

       What does the patch do?

       The patch eliminates the vulnerability by instituting proper credential checking
       against accesses made to the MMS data repository.

  Patch availability

       Download locations for this patch

          * Microsoft Metadirectory Services 2.2 Service Pack 1:
            http://download.microsoft.com/download/mms22/Patch/Q317138/NT5/EN-US/Q317138.EXE

  Additional information about this patch

       Installation platforms:
       This patch can be installed on systems running Microsoft Metadirectory Services
       2.2 Service Pack 1.

       Inclusion in future service packs:
       The fix for this issue will be included in the next version of MMS.

       Reboot needed: Yes

       Superseded patches: None

       Verifying patch installation:

       To verify the patch has been installed, do the following:

          * When the MMS service is running, an icon appears in the system tray --
            double click this icon.
          * On the open MMS Server window select "Help", then "About MMS Server" from
            the toolbar.
          * The About MMS server window will have the version number. If the patch has
            been applied, the version will be "MMS Server Version 2.2 SP1, Build
            2.2(1300.28)" or higher.

       Caveats:
       None

       Localization:
       Microsoft Metadirectory Services is English only, so localized patches are not
       required.

       Obtaining other security patches:
       Patches for other security issues are available from the following locations:

          * Security patches are available from the Microsoft Download Center, and can
            be most easily found by doing a keyword search for "security_patch".
          * Patches for consumer platforms are available from the WindowsUpdate web
            site

  Other information:

       Acknowledgments

       Microsoft thanks  Pascal Huijbers and Thomas de Klerk of Info Support for
       reporting this issue to us and working with us to protect customers.

       Support:

          * Microsoft Knowledge Base article Q317138 discusses this issue and will be
            available approximately 24 hours after the release of this bulletin.
            Knowledge Base articles can be found on the Microsoft Online Support web
            site.
          * Technical support is available from Microsoft Product Support Services.
            There is no charge for support calls associated with security patches.

       Security Resources: The Microsoft TechNet Security Web Site provides additional
       information about security in Microsoft products.

       Disclaimer:
       The information provided in the Microsoft Knowledge Base is provided "as is"
       without warranty of any kind. Microsoft disclaims all warranties, either express
       or implied, including the warranties of merchantability and fitness for a
       particular purpose. In no event shall Microsoft Corporation or its suppliers be
       liable for any damages whatsoever including direct, indirect, incidental,
       consequential, loss of business profits or special damages, even if Microsoft
       Corporation or its suppliers have been advised of the possibility of such
       damages. Some states do not allow the exclusion or limitation of liability for
       consequential or incidental damages so the foregoing limitation may not apply.

       Revisions:

          * V1.0 (July 24, 2002): Bulletin Created.

  Contact Us   |   E-mail this Page   |   TechNet Newsletter

  © 2002 Microsoft Corporation. All rights reserved.     Terms of Use    Privacy Statement    Accessibility