Microsoft Security Bulletin MS02-029

Unchecked Buffer in Remote Access Service Phonebook Could Lead to Code Execution (Q318138)

Originally posted: June 12, 2002
Updated: July 2, 2002 (Version 2.0)

Summary

Who should read this bulletin: Customers using Microsoft« Windows NT«, Windows« 2000 and Windows XP.
Impact of vulnerability: Local privilege elevation.
Maximum Severity Rating: Critical
Recommendation: Administrators should apply the patch to immediately to machines that allow unprivileged users to log onto them interactively such as workstations and Terminal Servers.
Affected Software:

Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Routing and Remote Access Server, which can be installed on Windows NT 4.0 Service Pack 6 or NT 4.0 Terminal Server Edition Service Pack 6.

Technical details

Technical description:

On June 12, 2002, Microsoft released the original version of this bulletin. On July 2, 2002, the bulletin was updated to reflect the availability of a revised patch. Although the original patch completely eliminated the vulnerability, it had the side effect of preventing non-administrative users from making VPN connections in some cases. The revised patch correctly handles VPN connections. The revised patch is immediately available from the Download Center and will be soon made available via WindowsUpdate.
The Remote Access Service (RAS) provides dial-up connections between computers and networks over phone lines. RAS is delivered as a native system service in Windows NT 4.0, Windows 2000 and Windows XP, and also is included in a separately downloadable Routing and Remote Access Server (RRAS) for Windows NT 4.0. All of these implementations include a RAS phonebook, which is used to store information about telephone numbers, security, and network settings used to dial-up remote systems.
A flaw exists in the RAS phonebook implementation: a phonebook value is not properly checked, and is susceptible to a buffer overrun. The overrun could be exploited for either of two purposes: causing a system failure, or running code on the system with LocalSystem privileges. If an attacker were able to log onto an affected server and modify a phonebook entry using specially malformed data, then made a connection using the modified phonebook entry, the specially malformed data could be run as code by the system.
Mitigating factors:

The vulnerability could only be exploited by an attacker who had the appropriate credentials to log onto an affected system.
Best practices suggests that unprivileged users not be allowed to interactively log onto business-critical servers. If this recommendation has been followed machines such as domain controllers, ERP servers, print and file servers, database servers, and others would not be at risk from this vulnerability.

Severity Rating:

Internet Servers Intranet Servers Client Systems

Windows NT 4.0 Low Low Moderate

Windows NT 4.0 Routing and Remote Access Server Low Low Moderate

Windows NT 4 Terminal Server Edition Low Critical None

Windows NT 4 Terminal Server Edition, Routing and Remote Access Server Low Critical None

Windows 2000 Low Critical Moderate

Windows XP Low Low Moderate

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. The attacker must have credentials to logon to the computer where the RAS phonebook is held.
Vulnerability identifier: CAN-2002-0366
Tested Versions:
Microsoft tested Windows NT4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

Why was this bulletin updated?

On July 2, 2002, we updated this bulletin to advise customers of the availability of a revised patch. The original patch completely eliminate the vulnerability, but it also introduced a bug that could have the effect of requiring administrative privileges in order to establish a Virtual Private Network (VPN) connection.
Microsoft has updated the patch to eliminate the bug. Customers who applied the original patch should consider applying the new one if the bug described above affects them. Customers who did not apply the original patch should apply the new one. The revised patch is immediately available from the Download Center and will be soon made available via WindowsUpdate.
WhatÆs the scope of the vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully exploited this vulnerability could gain complete control over the machine, thereby gaining the ability to take any desired action on the machine, such as adding, deleting, or modifying data on the system, creating or deleting user accounts, and adding accounts to the local administrators group.
The vulnerability could only be exploited by an attacker who had credentials to log onto the computer where the RAS phonebook is held. Best practices suggest that unprivileged users not be allowed to interactively log onto business-critical servers; if this guidance has been followed, such servers would not be at risk from this vulnerability.

What causes the vulnerability?

The vulnerability results because of an unchecked buffer in the Remote Access Service Phonebook. By creating a specially malformed phonebook entry, it could be possible to conduct a buffer overrun attack against an affected system.

What is the Remote Access Service?

The Remote Access Service lets users connect to a remote computer over phone lines, so they can work as if their system were physically connected to the remote network. These services enable remote users to do activities such as send and receive e-mail, fax documents, retrieve files, and print documents on an office printer.
The Remote Access Service is a native service in Windows NT 4.0, Windows 2000 and XP. In addition, a separately downloadable Routing and Remote Access Service (RRAS, also known as Steelhead) is available for Windows NT 4.0 and Windows NT 4.0 Terminal Server Edition, and it also includes a RAS implementation.

What is the Remote Access Service Phonebook?

The RAS phonebook is used to keep information that describes sites that can be connected to using dial-up networking via RAS. A phonebook entry contains information about the dial-up phone number, security, and network settings.
For example, if we were to create a phonebook entry for ôOffice computerö, we might say that the phone number for the remote computer is ô555-1837ö, and that the PPP protocol should be used to dial the computer. We might also specify the TCP/IP address for our computer and that the default gateway should be used.

WhatÆs wrong with the RAS phonebook?

There is an unchecked buffer in the code that reads the RAS phonebook entries.

What would this vulnerability enable an attacker to do?

The attacker could use this vulnerability for either of two purposes:

Privilege elevation on the system. By overrunning the buffer with carefully selected data, it would be possible for the attacker to run code in the context of the LocalSystem account, that is, as the operating system itself.
Denial of service. By overrunning the buffer with random data, the attacker could cause services or the server itself to fail.

How might an attacker exploit the vulnerability?

The attacker could logon to the computer that holds the RAS phonebook and then modify an entry in the phonebook with specially malformed data. The attacker could then logout, and logon using the modified dial-up entry. The RAS system would read the modified dial-up entry from the phonebook and the malformed data would be used.
Alternately, the attacker could modify and existing phonebook entry and then wait for another user to attempt to connect to a remote computer using the modified dial-up entry.

Who could exploit the vulnerability?

Anyone who could log onto the system interactively. Best practices suggest that unprivileged users not be allowed to interactively log onto business-critical servers. If best practices are followed, then it is workstations and terminal servers that would chiefly be at risk.

I use Windows NT 4.0, and I see that there are two patches for it. Which should I apply?

If you have installed RRAS on Windows NT 4.0 you should apply the RRAS version of this fix. If you haven't applied RRAS on Windows NT 4.0 then you should apply the standard RAS fix. The same is true for RRAS on Windows NT 4.0 Terminal Server Edition.

I donÆt know whether RRAS is installed on my system. How can I tell?

To see if RRAS is installed on Windows NT 4.0, go to Network Neighborhood and select the Services tab from Properties. If the ôRouting and Remote Access Serviceö is listed then RRAS has been installed.

What does the patch do?

The patch eliminates the vulnerability by instituting proper input checking on the RAS phonebook entries.

Patch availability

Download locations for this patch

Microsoft Windows NT 4.0:
http://www.microsoft.com/ntserver/nts/downloads/security/q318138/default.asp
Microsoft Windows NT 4.0 running RRAS (English Only):
http://www.microsoft.com/ntserver/nts/downloads/security/q318138/default.asp
Microsoft Windows NT 4.0 Terminal Server Edition:
http://www.microsoft.com/ntserver/terminalserver/downloads/security/q318138/default.asp
Microsoft Windows NT 4.0 Terminal Server Edition running RRAS (English Only):
http://www.microsoft.com/ntserver/terminalserver/downloads/security/q318138/default.asp
Microsoft Windows 2000:
http://www.microsoft.com/windows2000/downloads/security/q318138/default.asp
Microsoft Windows XP:
http://www.microsoft.com/downloads/release.asp?ReleaseID=38833
Microsoft Windows XP 64-bit Edition:
http://www.microsoft.com/downloads/release.asp?ReleaseID=39011

Additional information about this patch

Installation platforms:

The Windows NT 4.0 patch can be installed on systems running Service Pack 6a.
The Windows Routing and Remote Access Server patch can be installed on systems running Windows NT 4.0 Service Pack 6a (English only).
The Windows NT 4.0 Terminal Server Edition patch can be installed on systems running Windows NT 4.0 Terminal Server Edition Service Pack 6.
The Windows NT 4.0 Terminal Server Edition, Routing and Remote Access Server patch can be installed on systems running Windows NT 4.0 Terminal Server Edition Service Pack 6.
The Windows 2000 patch can be installed on systems running Windows 2000 Service Pack 1 or Windows 2000 Service Pack 2.
The patch for Windows XP can be installed on systems running Windows XP Gold.

Inclusion in future service packs:

The fix for this issue will be included in Windows 2000 Service Pack 3.
The fix for this issue will be included in Windows XP Service Pack 1.

Reboot needed: Yes
Superseded patches: None.
Verifying patch installation:
Windows NT 4.0 Service Pack 6a:

To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q318138
To verify the individual files, consult the file manifest in Knowledge Base article Q318138.

Windows NT 4.0 Terminal Server Edition Service Pack 6:

To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q318138
To verify the individual files, consult the file manifest in Knowledge Base article Q318138.

Windows 2000 Service Pack 2:

To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q318138
To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q318138\Filelist

Windows XP:

To verify that the patch has been installed, confirm that the following registry key has been created on the machine:
HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q318138
To verify the individual files, use the date/time and version information provided in the following registry key: HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q318138\Filelist

Caveats:
None
Localization:
Localized versions of this patch are currently available at the locations listed above in "Patch Availability".
Obtaining other security patches:
Patches for other security issues are available from the following locations:

Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web site
All patches available via WindowsUpdate also are available in a redistributable form from the WindowsUpdate Corporate site.

Other information:

Acknowledgments
Microsoft thanks Mark Litchfield of Next Generation Security Software Ltd. for reporting this issue to us and working with us to protect customers.
Support:

Microsoft Knowledge Base article Q318138 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:

V1.0 (June 12, 2002): Bulletin Created.
V1.1 (June 20, 2002): Caveats section updated to include information regarding an issue with the patch and VPN connections.
V1.2 (July 1, 2002): Caveats section updated to clarify that the patch has been removed from WindowsUpdate.
V2.0 (July 2, 2002): Updated with revised patch that correctly handles VPN connections.