Microsoft Security Bulletin MS00-087

Technical description:

An unchecked buffer in the Terminal Server login prompt could allow a malicious user to cause the Terminal Server to execute arbitrary code. The ability to execute arbitrary code would enable the malicious user to add, change, or delete data, run code already on the server, or upload new code to the server and run it. The malicious user would not need to successfully login to the Terminal Server in order to initiate this attack.

This vulnerability could be exploited remotely if connection requests are not filtered. By default, Terminal Server listens on tcp port 3389. This port should be blocked at the firewall and/or router if Terminal Server access from the Internet is not required.

What's this bulletin about?
Microsoft Security Bulletin MS00-087 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows NT 4.0 Terminal Server. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

What's the scope of the vulnerability?
This is a buffer overflow vulnerability. A malicious user could exploit the vulnerability to execute code of his choice on the Terminal Server. This would enable him to add, change, or delete data, run code already on the server, or upload new code to the server and run it.
Failing successful execution of the buffer overflow, a malicious user with local access to the Terminal Server could leverage this vulnerability to cause the Terminal Server to fail. Current connections to the Terminal Server, and work in progress on the Terminal Server would be lost of the Terminal Server were to fail.
The vulnerability affects only NT 4.0 Terminal Servers. There is no corresponding vulnerability in Windows NT Workstation, or in non-Terminal Server editions of Windows NT 4.0 Server. This vulnerability is not present in Terminal Server for Windows 2000.

What causes the vulnerability?
There is an unchecked buffer in the section of the code in Windows NT 4.0 Terminal Server that handles the user name when the user logs onto the server. This unchecked buffer could be exploited via a classic buffer overrun attack to run arbitrary code on the machine.

How can the buffer overrun be used to exploit my system?
A buffer overrun occurs when a malicious user exploits an unchecked buffer in a program and overwrites the program code with their own data. If the program code is overwritten with new executable code, the effect is to change the program's operation as dictated by the attacker. If overwritten with other data, the likely effect is to cause the program to fail.

Where is the unchecked buffer in this case?
The unchecked buffer is contained in the username field of the login prompt.

Would it be necessary for the malicious user to be able to log onto the network in order to exploit this vulnerability?
No. The malicious user would not need to successfully login to the Terminal Server to execute code of his choice.

What could the malicious user's code do?
The malicious user's code could take any action on the server that a logged on administrator could perform. This includes adding, deleting, and modifying files, executing code on the server, or uploading code of the malicious user's choice to the server.

You said that, in general, buffer overruns can be used either to cause a crash, or run code. But you haven't discussed the former case. Is it possible to cause a terminal server to crash via this vulnerability?
Yes. However, there are some important considerations that make this scenario largely irrelevant. If the malicious user overran the buffer with random data, the effect would depend on how he was accessing the server. If he exploited the vulnerability via a remote session, the effect would be to disconnect the session - so he couldn't cause any harm to the system. If he exploited the vulnerability via a local login, it would cause the server to fail. But if he could log on locally, it's likely that the malicious user could have just as easily turned off the power button.

Could someone attack my network from the Internet via this vulnerability?
A properly-configured firewall - one that prevents an outside user from delivering packets to a specific internal network address (tcp 3389 in this instance) - would prevent this vulnerability from being exploited by an Internet user.

Does this vulnerability affect Windows 2000 terminal servers?
No. This vulnerability is not present in Windows 2000 Terminal Server.

Does this vulnerability affect any Windows NT 4.0 system other than Terminal Server Edition?
No. This vulnerability does not affect Windows NT 4.0 systems that are not running Terminal Server.

What should customers do?
Microsoft recommends that customers assess the risk that this vulnerability poses to their safe computing and determine whether or not to apply the patch. The download location for the patch is provided in the security bulletin.
Customers may also wish to consider other security best practices such as:

• Deploying a high-quality intrusion detection software package that will detect and stop attacks that exploit known security vulnerabilities.
• Deploying a firewall and filtering unnecessary traffic. For example, system administrators may wish to filter TCP port 3389, and only allow traffic on that port from IP addresses that are known to have a legitimate need to set up Terminal Server sessions.

Who should use the patch?
Microsoft recommends that customers running Windows NT 4.0 Terminal Server consider installing the patch.

What does the patch do?
The patch eliminates the vulnerability by properly handling the login credentials presented during Terminal Server login.

How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.

Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .

How can I tell if I installed the patch correctly?
The Knowledge Base article provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.

What is Microsoft doing about this issue?

• Microsoft has delivered a patch that eliminates the vulnerability.
• Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
• Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
• Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.

Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.

Download locations for this patch

• Microsoft Windows NT 4.0 Terminal Server:

  http://www.microsoft.com/downloads/details.aspx?FamilyId=74C3848B-8B3A-4151-B79D-F8FE3A2AE3AB&displaylang=en