Security Bulletin

Microsoft Security Bulletin MS00-079 - Critical

Patch Available for 'HyperTerminal Buffer Overflow' Vulnerability

Published: October 18, 2000 | Updated: December 16, 2002

Version: 1.0

Originally posted: October 18, 2000
Updated: May 24, 2001

Summary

On October 18, 2000, Microsoft released the original version of this security bulletin, to advise of the availability of a patch that eliminates a security vulnerability in the HyperTerminal application that ships with Microsoft® Windows® 98, Windows 98 Second Edition, Windows Me and Windows 2000. On May 24, 2001, we re-released the bulletin to advise of the availability of a new patch that corrects both this vulnerability and a subsequently discovered variant. The scope of both the original and the new vulnerabilities is the same. Both could, under certain conditions, allow a malicious user to execute arbitrary code on another user's system. This would enable the malicious user to compromise data or take action on the other user's system.

Affected Software:

  • Microsoft Windows 98 and Windows 98SE
  • Microsoft Windows Me
  • Microsoft Windows NT 4.0
  • Microsoft Windows 2000

Vulnerability Identifier: CVE-2000-0991

General Information

Technical details

Technical description:

The HyperTerminal application is a communications utility that installs by default on all versions of Windows 98, 98SE, Windows ME, Windows NT 4.0, and Windows 2000. The product contains two unchecked buffers through which an attacker could potentially cause code of her choice to run on another user's machine:

  • One resides in a section of the code that processes Telnet URLs. If a user opened an HTML mail that contained a particular type of malformed Telnet URL, and HyperTerminal were configured as the default Telnet client, it would trigger the buffer overrun. HyperTerminal is the default Telnet client on Windows 98, 98SE and ME. It is not the default Telnet client on Windows 2000.
  • The other resides in a section of the code that processes session files - files that enable HyperTerminal users to specify session parameters such as the connection method and the destination host. If a user opened a session file that contained a particular type of malformed information, it would trigger the buffer overrun.

Although HyperTerminal ships as part of several Microsoft products, it was developed by a third party. Additional information on the vulnerability and a patch for their full version product, HyperTerminal Private Edition, is available from their web site at www.hilgraeve.com

Frequently asked questions

What's this bulletin about?
Microsoft Security Bulletin MS00-079 announces the availability of a patch that eliminates a vulnerability in the versions of HyperTerminal that ship with Microsoft® Windows® 98, 98SE, Windows Me, and Windows 2000. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

Why was this bulletin re-released?
After the original release of this bulletin, we discovered a problem with the original patch and retracted it for rework. While the rework was underway, we learned of an additional vulnerability affecting HyperTerminal. We therefore added the fix for the new vulnerability to the patch.

What is HyperTerminal?
HyperTerminal is a program that you can use to connect to other computers, Internet telnet sites, bulletin board systems (BBSs), online services, and host computers, using either your modem or your network card. Although HyperTerminal ships as part of several Microsoft products, it was developed by a third party. Additional information on the vulnerability and a patch for their full version product, HyperTerminal Private Edition, is available from their web site at www.hilgraeve.com

What are the two vulnerabilities eliminated by the patch?
The patch eliminates two vulnerabilities affecting HyperTerminal:

  • The vulnerability that was discussed in the original version of the bulletin
  • A new vulnerability that was discovered after releasing the original version of the bulletin

What's the scope of the original vulnerability?
If a user opened an HTML mail that contained a particularly malformed Telnet URL, it could enable the creator of the mail to cause arbitrary code to run on the user's system. This would enable the attacker to take any action on the user's computer that the user himself could take, such as creating, deleting or changing data, communicating with web sites, or reformatting the hard drive. HyperTerminal is the default Telnet client on Windows 95, 98 and Me. However, it is not the default Telnet client on Windows 2000, and Windows 2000 users who have not taken steps to make it the default Telnet client would not be affected by the vulnerability.

What causes the vulnerability?
A buffer overflow exists in the HyperTerminal application. A specially formed telnet URL could allow arbitrary code to be executed on the user's system. The creator of the malicious email containing the specially formed telnet URL would need to entice users into opening the HTML email in order for the overflow to occur.

HyperTerminal also ships with Windows NT 4.0. Is that version vulnerable to this vulnerability?
The HyperTerminal client that ships with Windows NT 4.0 does not include a TCP/IP connection method. As such, the NT4 HyperTerminal client cannot be set up as the default telnet client, and would not launch in response to a supplied Telnet URL.

How do I register HyperTerminal as my default Telnet client on Windows 2000?
HyperTerminal will automatically register itself as the default telnet client the first time that the HyperTerminal application is launched. Once registered as the default telnet client, invoking a telnet URL (via browser or HTML email) will launch the HyperTerminal application.

How can I un-register the HyperTerminal client on Windows 2000 once it's been set as the default telnet client?
The default telnet client is referenced in the registry key below. In this example, it shows that HyperTerminal is the default client: HKEY_Classes_Root/telnet/shell/open command:REG_SZ: C:\Program Files\Windows NT\hypertrm.exe /t %1 (where C:\ is the systemdrive.) To revert back to the command line client, set the open key to the following value: command:REG_SZ: rundll32.exe url.dll,TelnetProtocolHandler %1

Is the built-in telnet client vulnerable?
The default telnet client for Windows 2000 is the command-line client "telnet.exe". The command-line client is not affected by this vulnerability.

What's the scope of the new vulnerability?
Like the original vulnerability, the new one could enable an attacker to run code on another user's machine. However, the exploit scenario for this vulnerability would be more challenging. The attacker would need to not only deliver a specially modified file to another user, she also would need to convince him to open it. There is no capability to cause the file to automatically open.

What causes the vulnerability?
The vulnerability results because the part of the software that reads session files doesn't properly check the lengths of the data strings it reads in. By creating a session file that contains specially malformed data and persuading another user to open it, the attacker could cause code of her choice to run on the user's machine.

What's a session file?
A session file captures all of the parameters associated with a particular HyperTerminal session - for instance, the communications parameters, destination host, and so forth. By opening a session file, a user can automatically set all the HyperTerminal parameters to those specified in the file.

What's wrong with the way HyperTerminal handles session files?
HyperTerminal doesn't correctly check the lengths of the inputs as it reads them from a session file. This renders it susceptible to a buffer overrun attack.

What could an attacker use this vulnerability to do?
If an attacker created a session file containing specially malformed data, she could cause a buffer overrun to occur in HyperTerminal when it attempted to process the file. This would give her the ability to run code on the user's machine. Such code could do anything the user himself could do.

Could the attacker force the session file to open automatically?
No. This is a significant restriction on the scope of the vulnerability. Even after creating the file and delivering it to the user, the attacker still would need to rely on social engineering in order to persuade the user to actually open it. The attack could not force it to open without the user's approval.

How does the patch eliminate these two vulnerabilities?
The patch eliminates the vulnerability by enforcing proper buffer checking throughout HyperTerminal.

How do I use the patch?
Knowledge Base articles Q274548 (Windows 98/ME) and Q276471 (Windows 2000) contain detailed instructions for applying the patch to your site

Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.

How can I tell if I installed the patch correctly?
The Knowledge Base articles Q274548 (Windows 98/ME) and Q276471 (Windows 2000) provide a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.

What is Microsoft doing about this issue?

  • Microsoft has delivered a patch that eliminates the vulnerability.
  • Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
  • Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
  • Microsoft has issued Knowledge Base articles explaining the vulnerability and procedure in more detail.

Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Microsoft Product Support Servicescan provide assistance with this or any other product support issue.

Patch availability

Download locations for this patch

Additional information about this patch

Installation platforms: Please see the following references for more information related to this issue.

  • Microsoft Knowledge Base articles Q274548 (Windows 98, ME) and Q276471 (Windows 2000) discuss this issue.

Other information:

Acknowledgments

Microsoft thanks Luciano Martins of USSR Labs (www.ussrback.com) for reporting this issue to us and working with us to protect customers.

Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at </https:>https:.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • October 18, 2000: Bulletin created.
  • May 24, 2001: Bulletin revised to advise of new variant of the vulnerability.
  • August 30, 2001: Bulletin revised to advise of the availability of a patch for Windows NT 4.0
  • December 16, 2002: Update to Patch Availability section.

Built at 2014-04-18T13:49:36Z-07:00 </https:>