Multiple Vulnerabilities in Microsoft Windows 2000 Telnet
Seven different vulnerabilities exist in the version of Telnet that Microsoft ships with Windows 2000.
June 7, 2001
Reported June 08, 2001, byMicrosoft.
VERSIONS AFFECTED
Microsoft Windows 2000, all versions
DESCRIPTION
Sevendifferent vulnerabilities exist in the version of Telnet that Microsoft shipswith Windows 2000. Two of these vulnerabilities relate to the way that Telnethandles the sessions that a user creates, and escalate the user's privilege.When a user establishes a new Telnet session, the service creates a named pipe,running any code that the Operating System associates with the session as partof the initialization process. Because the pipe’s name is predictable, Telnetknows to look for an existing pipe with that name. A potential attacker who hasthe ability to load and run code on the server can create the pipe and associatea program with it. The Telnet service would run the attacker's code in LocalSystem context when the service establishes the next session.
Four of these vulnerabilities let an attacker createDenial of Service (DoS) attacks and are completely different in scope from eachother.
· The first type of attack prevents Telnet from terminatingidle sessions. An attacker can create a number of idle sessions that deny accessto any other user.
· When Telnet terminates a session in a certain way, a handleleak occurs. By repeatedly starting sessions and killing them, an attacker candeplete the supply of handles on the server and prevent users from establishingnew sessions.
· A malformed logon command can cause an access violation inthe Telnet service.
· A malicious attacker can make a system call by usingtypical user privileges and terminating a Telnet session.
The seventh vulnerability involves informationdisclosure that makes it easier for an attacker to enumerate Guest accountsexposed by using the Telnet server. It's similar in scope to the FTPvulnerability that MS01-026discloses.
VENDOR RESPONSE
Thevendor, Microsoft, acknowledges these vulnerabilities and recommends that usersimmediately apply the patchmentioned in Security Bulletin MS01-031.For Windows 2000 Datacenter Server users, the patches are hardware specific, andusers should contact the original equipment manufacturer.
CREDIT
Discoveredby Guardent, PeterGründl, Richard Reinerand Bindview’s Razor team.
Read more about:
MicrosoftAbout the Author
You May Also Like