Microsoft Security Bulletin MS01-003

Technical description:

Like all other objects under Windows NT 4.0, mutexes - synchronization objects that govern access to resources - have permissions associated with them, that govern how they can be accessed. However, a particular mutex used to govern access to a networking resource has inappropriately loose permissions. This could enable an attacker who had the ability to run code on a local machine to monopolize the mutex, thereby preventing any other processes from using the resource that it controlled. This would have the effect of preventing the machine from participating in the network.

The attacker would require interactive logon access to the affected machine. This significantly limits the scope of the vulnerability because, if normal security recommendations have been followed, unprivileged users will not be granted interactive logon rights to critical machines like servers. Unprivileged users typically are granted interactive logon rights to workstations and terminal servers. However, a workstation would not be a tempting target for an attacker, because he could only use this vulnerability to deny service to himself. The machines most likely to be affected would be Terminal Servers.

Mitigating factors:

• Attacker would need to have interactive logon rights in order to exploit a server. However, best practices recommend against granting this permission on security-critical servers.

Vulnerability identifier: CAN-2001-0006 

Tested Versions:

Microsoft tested Windows 2000 and Windows NT 4.0 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

What's the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who could log onto a machine interactively could use this vulnerability to make it stop responding to network traffic. This would not cause the machine to fail, but it would prevent it from communicating with other machines.
Security best practices strongly recommend against ever allowing unprivileged users to interactively log onto critical servers like domain controllers, print and file servers, ERP servers, database servers, and so forth. If these recommendations have been followed, this vulnerability would pose a risk only to workstations and terminal servers.

What causes the vulnerability?
The vulnerability results because a networking mutex has inappropriate permissions. An attacker could write a program that could gain control of the mutex and deny access to it. This would prevent any other processes from being able to perform networking operations, essentially isolating the machine from the network.

What is a mutex?
A mutex is a synchronization object used to prevent more than one process from accessing certain resources at the same time. Multiprocessing operating systems like Windows NT 4.0 allow multiple programs to run at the same time. However, even so, there are certain resources that can only be used by one program at a time. Mutexes are used to help control access to resources like these.

What's the problem with mutexes in Windows NT 4.0?
There's no problem with mutexes in general. However, mutexes, like all objects in Windows NT 4.0, have permissions that regulate how and by whom they can be accessed. The mutex involved in this vulnerability has inappropriate permissions. By design, this mutex should only be accessible by programs with administrator or system privileges; however, in reality, everyone can access it. As a result, an attacker could write a program that waits its turn for the mutex and change its permissions allowing no access. If this happened, no other program could use the resource.

What's the resource that the mutex governs?
The particular mutex in this case regulates access to a networking resource. By denying access to the mutex, the attacker's program could prevent any other programs from using the networking functions in Windows NT 4.0.

What would be the result?
The machine would stop communicating with other machines on the network, because no other programs would be able to use the networking resources. The operator would need to reboot the machine to restore normal operation.

Could this vulnerability be exploited remotely?
No. The attacker's program would need to run locally on the machine. This means that the attacker would need the ability to log onto the machine interactively and start his program. This is an important point, because, if normal security restrictions are observed, unprivileged users will not be able to log onto critical machines such as servers, and would as a result be unable to attack them.

What machines are at greatest risk from this vulnerability?
Typically, unprivileged users are only allowed to log onto workstations and terminal servers interactively. It would do little good for an attacker to attack a workstation via this vulnerability, because he would only succeed in denying service to himself. However, if he attacked a terminal server via this vulnerability, he could render the server useless until it was rebooted.

What does the patch do?
The patch eliminates the vulnerability by correcting the permissions on the affected mutex.

Download locations for this patch

• Windows NT 4.0:

  http://www.microsoft.com/downloads/details.aspx?FamilyId=09269636-F399-41CA-A3B4-A32F97053B2F&displaylang=en

• Windows NT 4.0, Terminal Server Edition:

  http://www.microsoft.com/downloads/details.aspx?FamilyId=F8AE733B-DB34-41A0-B534-190BD8E55A86&displaylang=en