Multiple Vulnerabilities in Microsoft Windows 2000 Telnet

Seven different vulnerabilities exist in the version of Telnet that Microsoft ships with Windows 2000.

Ken Pfeil

June 7, 2001

3 Min Read
ITPro Today logo

Reported June 08, 2001, byMicrosoft.

VERSIONS AFFECTED

  • Microsoft Windows 2000, all versions

 

DESCRIPTION
Sevendifferent vulnerabilities exist in the version of Telnet that Microsoft shipswith Windows 2000. Two of these vulnerabilities relate to the way that Telnethandles the sessions that a user creates, and escalate the user's privilege.When a user establishes a new Telnet session, the service creates a named pipe,running any code that the Operating System associates with the session as partof the initialization process. Because the pipe’s name is predictable, Telnetknows to look for an existing pipe with that name. A potential attacker who hasthe ability to load and run code on the server can create the pipe and associatea program with it. The Telnet service would run the attacker's code in LocalSystem context when the service establishes the next session.

 

Four of these vulnerabilities let an attacker createDenial of Service (DoS) attacks and are completely different in scope from eachother.

 

·        The first type of attack prevents Telnet from terminatingidle sessions. An attacker can create a number of idle sessions that deny accessto any other user.

·        When Telnet terminates a session in a certain way, a handleleak occurs. By repeatedly starting sessions and killing them, an attacker candeplete the supply of handles on the server and prevent users from establishingnew sessions.

·        A malformed logon command can cause an access violation inthe Telnet service.

·        A malicious attacker can make a system call by usingtypical user privileges and terminating a Telnet session.

 

The seventh vulnerability involves informationdisclosure that makes it easier for an attacker to enumerate Guest accountsexposed by using the Telnet server. It's similar in scope to the FTPvulnerability that MS01-026discloses.

 

VENDOR RESPONSE

Thevendor, Microsoft, acknowledges these vulnerabilities and recommends that usersimmediately apply the patchmentioned in Security Bulletin MS01-031.For Windows 2000 Datacenter Server users, the patches are hardware specific, andusers should contact the original equipment manufacturer.

 

CREDIT
Discoveredby Guardent, PeterGründl, Richard Reinerand Bindview’s Razor team.

Read more about:

Microsoft

About the Author(s)

Ken Pfeil

Ken Pfeil

See more from Ken Pfeil
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

You May Also Like

Editor's Choice

cybersecurity operator or hacker works with data in dark room
IT Security
Master AI Cybersecurity: Protect and Enhance Your NetworkMaster AI Cybersecurity: Protect and Enhance Your Network
byBrien Posey
May 21, 2024
5 Min Read
business person stamping a document
IT Operations
How to Get Executive Buy-In for IT ProjectsHow to Get Executive Buy-In for IT Projects
byChristopher Tozzi
May 28, 2024
6 Min Read
yellow block stuck in between blue cog wheels
PowerShell
Using ChatGPT as a PowerShell Debugging ToolUsing ChatGPT as a PowerShell Debugging Tool
byBrien Posey
Jun 4, 2024
4 Min Read