Microsoft Security Bulletin MS02-036

Technical description:

Microsoft Metadirectory Services (MMS) is a centralized metadirectory service that provides connectivity, management, and interoperability functions to help unify fragmented directory and database environments. It enables enterprises to link together disparate data repositories such as Exchange directory, Active Directory, third-party directory services, and proprietary databases, for the purpose of ensuring that the data in each is consistent, accurate, and can be centrally managed

A flaw exists that could enable an unprivileged user to access and manipulate data within MMS that should, by design, only be accessible to MMS administrators. Specifically, it is possible for an unprivileged user to connect to the MMS data repository via an LDAP client in such a way as to bypass certain security checks. This could enable an attacker to modify data within the MMS data repository, either for the purpose of changing the MMS configuration or replicating bogus data to the other data repositories.

Mitigating factors:

• If normal security practices have been followed, the vulnerability could not be exploited from the Internet.
• The vulnerability could only be exploited by an attacker who had significant technical expertise at a protocol level. The vulnerability does not provide access to MMS itself, but rather to the MMS data repository. Determining what data to change - and how to change it - in order to cause a desired effect could be quite difficult
• A successful attack would require a detailed understanding of the specific way MMS had been configured, as well as information about all of the other directories and database it was being used to manage. It is likely that the vulnerability could only be exploited by an attacker who had insider knowledge about the enterprise.

Severity Rating:

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. For an attack to succeed, the attacker would need to have specific knowledge about the particular MMS configuration and have an advanced knowledge of MMS.

Vulnerability identifier: CVE-CAN-2002-0697

Tested Versions:

Microsoft tested MMS 2.2 and MMS 2.2 Service Pack 1 to assess whether they are affected by these vulnerabilities. The previous version, MMS 2.1, is no longer supported and may or may not be affected by this vulnerability.

What's the scope of the vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully exploited this vulnerability could, under a very daunting set of circumstances, gain the ability to modify business-critical data that could then be replicated to data repositories throughout an enterprise.
The vulnerability would likely be quite difficult to exploit. It would require great technical sophistication on the part of the attacker, as the vulnerability provides only access to low-level data structures. In addition, the attacker would almost certainly need insider knowledge of how various databases and directories throughout the enterprise were configured and used.

What causes the vulnerability?
The vulnerability results because MMS logon credentials are not correctly verified when an LDAP client accesses MMS under certain circumstances.

What is MMS?
Microsoft Metadirectory Services is a metadirectory service - that is, a directory that's used to manage other directories and data sources. In many companies, business-critical data is held in a variety of data sources. For instance, a company might have users' email information stored within the Exchange directory, account information stored within Active Directory, and personnel information stored within a custom database. MMS provides a way to link all of those data sources together, manage them centrally, and ensure that the data in them is always synchronized.

How widely is MMS used?
MMS is not a commonly deployed system. It typically is deployed only within enterprises that have a large number of heterogeneous data sources that require integration and centralized management.

What's wrong with MMS?
The problem lies in the way MMS regulates access to its data repository. All connections to the repository should be checked to ensure that the person making the connection has the proper credentials to perform the actions they're performing. However, it's possible to connect to the repository in an unusual way that has the effect of bypassing the check.

What's the MMS data repository?
MMS needs to store two different types of data locally. First, it needs to store configuration information for MMS itself, such as administrator userids and passwords. Second, depending upon the specific deployment scenario, it may need to store data that isn't found in any of the other directories or databases - that is, MMS may need to act as a directory in its own right, and ensure that the data in that directory is kept consistent with the data in the other directories and databases.

What could this vulnerability enable an attacker to do?
The vulnerability could enable an attacker to modify data in the MMS data repository. A successful attack could allow the attacker to, for instance, reset the MMS administrator password and then subsequently log directly onto MMS as an administrator. It also could enable the attacker to create data that would be replicated to the other data sources.
However, exploiting the vulnerability would be quite difficult. Because the vulnerability provides access to the underlying data structures rather than MMS itself, the attacker would need to possess a great deal of technical knowledge about how MMS works at a protocol level. In addition, the specific layout of the data repository is unique for every deployment, so the attacker would need insider knowledge about the particular MMS deployment.

Who could exploit the vulnerability?
The vulnerability could be exploited by an attacker who could create a connection to the MMS system, and had both a detailed understanding of how to manipulate the MMS data repository at a protocol level and significant information about the specific MMS deployment.

Could the vulnerability be exploited via the Internet?
If normal firewalling precautions had been observed (specifically, if port 389 were blocked), users on the Internet would not be able to create a connection, and thus could not exploit the vulnerability.

What does the patch do?
The patch eliminates the vulnerability by instituting proper credential checking against accesses made to the MMS data repository.

Download locations for this patch

• Microsoft Metadirectory Services 2.2 Service Pack 1: http://download.microsoft.com/download/mms22/Patch/Q317138/NT5/EN-US/Q317138.EXE