Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:3070
HistoryJun 13, 2002 - 12:00 a.m.

Security Bulletin MS02-029: Unchecked Buffer in Remote Access Service Phonebook Could Lead to Code Execution (Q318138)

2002-06-1300:00:00
vulners.com
12

Title: Unchecked Buffer in Remote Access Service Phonebook Could
Lead to Code Execution (Q318138)
Date: 12 June 2002
Software: Windows NT 4.0, NT 4.0 Terminal Server Edition, 2000, XP,
Routing and Remote Access Server (RRAS)
Impact: Local Privilege Escalation
Max Risk: Critical
Bulletin: MS02-029

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-029.asp.


Issue:

The Remote Access Service (RAS) provides dial-up connections between
computers and networks over phone lines. RAS is delivered as a native
system service in Windows NT 4.0, Windows 2000 and Windows XP, and
also is included in a separately downloadable Routing and Remote
Access Server (RRAS) for Windows NT 4.0. All of these implementations
include a RAS phonebook, which is used to store information about
telephone numbers, security, and network settings used to dial-up
remote systems.

A flaw exists in the RAS phonebook implementation: a phonebook value
is not properly checked, and is susceptible to a buffer overrun. The
overrun could be exploited for either of two purposes: causing a
system failure, or running code on the system with LocalSystem
privileges. If an attacker were able to log onto an affected server
and modify a phonebook entry using specially malformed data, then
made a connection using the modified phonebook entry, the specially
malformed data could be run as code by the system.

Mitigating Factors:

  • The vulnerability could only be exploited by an attacker who had
    the appropriate credentials to log onto an affected system.

  • Best practices suggests that unprivileged users not be allowed to
    interactively log onto business-critical servers. If this
    recommendation has been followed machines such as domain
    controllers, ERP servers, print and file servers, database
    servers, and others would not be at risk from this vulnerability.

Risk Rating:

  • Internet systems: Low
  • Intranet systems: Critical
  • Client systems: Moderate

Patch Availability:

Acknowledgment:


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT
ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.