Microsoft Security Bulletin MS02-029

Unchecked Buffer in Remote Access Service Phonebook Could Lead to Code Execution (Q318138)

Originally posted: June 12, 2002
Updated: February 28th, 2003

Summary

Who should read this bulletin:
Customers using Microsoft® Windows NT®, Windows® 2000 and Windows XP.

Impact of vulnerability:
Local privilege elevation.

Maximum Severity Rating:
Critical

Recommendation:
Administrators should apply the patch to immediately to machines that allow unprivileged users to log onto them interactively such as workstations and Terminal Servers.

Affected Software:

Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Routing and Remote Access Server, which can be installed on Windows NT 4.0 Service Pack 6 or NT 4.0 Terminal Server Edition Service Pack 6.

General Information

Technical details

Technical description:

On June 12, 2002, Microsoft released the original version of this bulletin. On July 2, 2002, the bulletin was updated to reflect the availability of a revised patch. Although the original patch completely eliminated the vulnerability, it had the side effect of preventing non-administrative users from making VPN connections in some cases. The revised patch correctly handles VPN connections. The revised patch is immediately available from the Download Center and will be soon made available via WindowsUpdate.

The Remote Access Service (RAS) provides dial-up connections between computers and networks over phone lines. RAS is delivered as a native system service in Windows NT 4.0, Windows 2000 and Windows XP, and also is included in a separately downloadable Routing and Remote Access Server (RRAS) for Windows NT 4.0. All of these implementations include a RAS phonebook, which is used to store information about telephone numbers, security, and network settings used to dial-up remote systems.

A flaw exists in the RAS phonebook implementation: a phonebook value is not properly checked, and is susceptible to a buffer overrun. The overrun could be exploited for either of two purposes: causing a system failure, or running code on the system with LocalSystem privileges. If an attacker were able to log onto an affected server and modify a phonebook entry using specially malformed data, then made a connection using the modified phonebook entry, the specially malformed data could be run as code by the system.

Mitigating factors:

The vulnerability could only be exploited by an attacker who had the appropriate credentials to log onto an affected system.
Best practices suggests that unprivileged users not be allowed to interactively log onto business-critical servers. If this recommendation has been followed machines such as domain controllers, ERP servers, print and file servers, database servers, and others would not be at risk from this vulnerability.

Severity Rating:

	Internet Servers	Intranet Servers	Client Systems
Windows NT 4.0	Low	Low	Moderate
Windows NT 4.0 Routing and Remote Access Server	Low	Low	Moderate
Windows NT 4 Terminal Server Edition	Low	Critical	None
Windows NT 4 Terminal Server Edition, Routing and Remote Access Server	Low	Critical	None
Windows 2000	Low	Critical	Moderate
Windows XP	Low	Low	Moderate

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. The attacker must have credentials to logon to the computer where the RAS phonebook is held.

Vulnerability identifier: CAN-2002-0366

Tested Versions:

Microsoft tested Windows NT4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

Why was this bulletin updated?
On July 2, 2002, we updated this bulletin to advise customers of the availability of a revised patch. The original patch completely eliminate the vulnerability, but it also introduced a bug that could have the effect of requiring administrative privileges in order to establish a Virtual Private Network (VPN) connection.
Microsoft has updated the patch to eliminate the bug. Customers who applied the original patch should consider applying the new one if the bug described above affects them. Customers who did not apply the original patch should apply the new one. The revised patch is immediately available from the Download Center and will be soon made available via WindowsUpdate.

What's the scope of the vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully exploited this vulnerability could gain complete control over the machine, thereby gaining the ability to take any desired action on the machine, such as adding, deleting, or modifying data on the system, creating or deleting user accounts, and adding accounts to the local administrators group.
The vulnerability could only be exploited by an attacker who had credentials to log onto the computer where the RAS phonebook is held. Best practices suggest that unprivileged users not be allowed to interactively log onto business-critical servers; if this guidance has been followed, such servers would not be at risk from this vulnerability.

What causes the vulnerability?
The vulnerability results because of an unchecked buffer in the Remote Access Service Phonebook. By creating a specially malformed phonebook entry, it could be possible to conduct a buffer overrun attack against an affected system.

What is the Remote Access Service?
The Remote Access Service lets users connect to a remote computer over phone lines, so they can work as if their system were physically connected to the remote network. These services enable remote users to do activities such as send and receive e-mail, fax documents, retrieve files, and print documents on an office printer.
The Remote Access Service is a native service in Windows NT 4.0, Windows 2000 and XP. In addition, a separately downloadable Routing and Remote Access Service (RRAS, also known as Steelhead) is available for Windows NT 4.0 and Windows NT 4.0 Terminal Server Edition, and it also includes a RAS implementation.

What is the Remote Access Service Phonebook?
The RAS phonebook is used to keep information that describes sites that can be connected to using dial-up networking via RAS. A phonebook entry contains information about the dial-up phone number, security, and network settings.
For example, if we were to create a phonebook entry for "Office computer", we might say that the phone number for the remote computer is "555-1837", and that the PPP protocol should be used to dial the computer. We might also specify the TCP/IP address for our computer and that the default gateway should be used.

What's wrong with the RAS phonebook?
There is an unchecked buffer in the code that reads the RAS phonebook entries.

What would this vulnerability enable an attacker to do?
The attacker could use this vulnerability for either of two purposes:

Privilege elevation on the system. By overrunning the buffer with carefully selected data, it would be possible for the attacker to run code in the context of the LocalSystem account, that is, as the operating system itself.
Denial of service. By overrunning the buffer with random data, the attacker could cause services or the server itself to fail.

How might an attacker exploit the vulnerability?
The attacker could logon to the computer that holds the RAS phonebook and then modify an entry in the phonebook with specially malformed data. The attacker could then logout, and logon using the modified dial-up entry. The RAS system would read the modified dial-up entry from the phonebook and the malformed data would be used.
Alternately, the attacker could modify and existing phonebook entry and then wait for another user to attempt to connect to a remote computer using the modified dial-up entry.

Who could exploit the vulnerability?
Anyone who could log onto the system interactively. Best practices suggest that unprivileged users not be allowed to interactively log onto business-critical servers. If best practices are followed, then it is workstations and terminal servers that would chiefly be at risk.

I use Windows NT 4.0, and I see that there are two patches for it. Which should I apply?
If you have installed RRAS on Windows NT 4.0 you should apply the RRAS version of this fix. If you haven't applied RRAS on Windows NT 4.0 then you should apply the standard RAS fix. The same is true for RRAS on Windows NT 4.0 Terminal Server Edition.

I don't know whether RRAS is installed on my system. How can I tell?
To see if RRAS is installed on Windows NT 4.0, go to Network Neighborhood and select the Services tab from Properties. If the "Routing and Remote Access Service" is listed then RRAS has been installed.

What does the patch do?
The patch eliminates the vulnerability by instituting proper input checking on the RAS phonebook entries.

Patch availability

Other information:

Acknowledgments

Microsoft thanks Mark Litchfield of Next Generation Security Software Ltd. for reporting this issue to us and working with us to protect customers.

Support:

Microsoft Knowledge Base article Q318138 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

V1.0 (June 12, 2002): Bulletin Created.
V1.1 (June 20, 2002): Caveats section updated to include information regarding an issue with the patch and VPN connections.
V1.2 (July 1, 2002): Caveats section updated to clarify that the patch has been removed from WindowsUpdate.
V2.0 (July 2, 2002): Updated with revised patch that correctly handles VPN connections.
V2.1 (February 28, 2003): Updated download links to Windows Update.