Security Bulletin

Microsoft Security Bulletin MS01-036 - Critical

Function Exposed via LDAP over SSL Could Enable Passwords to be Changed

Published: June 25, 2001 | Updated: February 28, 2003

Version: 1.2

Originally posted: June 25, 2001
Updated: February 28, 2003

Summary

Who should read this bulletin: 
System administrators using Microsoft® Windows® 2000.

Impact of vulnerability: 
Privilege elevation.

Recommendation: 
Customers who currently provide LDAP over SSL sessions should apply the patch immediately.

Affected Software:

  • Microsoft Windows 2000

General Information

Technical details

Technical description:

This vulnerability involves an LDAP function that is only available if the LDAP server has been configured to support LDAP over SSL sessions, and whose purpose is to allow users to change the data attributes of directory principals. By design, the function should check the authorizations of the user before completing the request; however, it contains an error that manifests itself only when the directory principal is a domain user and the data attribute is the domain password -- when this is the case, the function fails to check the permissions of the requester, with the result that it could be possible for a user to change any other user's domain login password.

An attacker could change another user's password for either of two purposes: to cause a denial of service by preventing the other user from logging on, or in order to log into the user's account and gain any privileges the user had. Clearly, the most serious case would be one in which the attacker changed a domain administrator's password and logged into the administrator's account.

By design, the function affected can be called by any user who can connect to the LDAP server, including users who connect via anonymous sessions. As a result, any user who could establish a connection with an affected server could exploit the vulnerability.

Mitigating factors:

  • LDAP over SSL sessions cannot be conducted unless the administrator has installed a digital certificate on the LDAP server. As a result, default installations of Windows 2000 are not affected by this vulnerability.
  • If the firewall is configured to block tcp port 636, the vulnerability could not be exploited by outside users.
  • This vulnerability could not be used to change the password of local user accounts on individual machines.

Vulnerability identifier: CAN-2001-0502

Tested Versions:

Microsoft tested Windows 2000 and Windows NT® 4.0 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

What's the scope of the vulnerability?
This vulnerability could enable an attacker to change the password of a user (including a domain administrator) in a Windows 2000 domain. This could be done for either of two purposes: to prevent the user from logging onto the domain, or to allow the attacker to log into the other user's account. This vulnerability is subject to several significant constraints:

  • It could only be exploited via a LDAP over SSL session, but such a session would only be available if the LDAP server had been specifically configured to support LDAP over SSL. A default Windows 2000 LDAP server would not be affected by this vulnerability.
  • If normal firewalling practices have been followed, Internet users would not be able to exploit this vulnerability against a corporate network.
  • The vulnerability could only be used to change the passwords of domain user accounts. It could not be used to change local user account passwords on individual machines.

What causes the vulnerability?
The vulnerability results because of a flaw in a function that is exposed via LDAP over SSL in Windows 2000. The flaw could enable an attacker to modify the password attribute of a user object.

What is LDAP?
LDAP (Lightweight Directory Access Protocol) is an industry-standard protocol that enables authorized users to interrogate or modify the data in a metadirectory. For instance, in Windows 2000, LDAP is one protocol used to access data in the Active Directory.

What do you mean by LDAP over SSL?
In Windows 2000, LDAP requests can be levied via either unsecured sessions or secured SSL sessions. Certain functions are only available over secured sessions. The function involved in this vulnerability is such a function; as a result, the vulnerability could only be exploited if LDAP over SSL was available on the domain's LDAP server.

Is LDAP over SSL available by default?
No. Before an LDAP server can participate in an SSL session, the administrator must have obtained a digital certificate and installed it on the server. Unless this has been done, LDAP over SSL is not available, and the vulnerability could not be exploited. This means that default installations of Windows 2000 are not at risk from this vulnerability. We do, however, recommend that customers who believe that they might choose to make LDAP over SSL services available in the future apply the patch as a safeguard.

What's wrong with the function that contains the vulnerability?
The function is designed to allow data stored in the directory to be modified. However, it should do so subject to the access controls associated with each particular piece of data. The vulnerability results because when modifying one data attribute - the password attribute associated with users - it doesn't correctly check the permissions, and simply processes the request. This could make it possible for an attacker to misuse the function and change another user's domain password.

What would the vulnerability enable an attacker to do?
Gaining the ability to change other users' domain passwords would let an attacker do either of two things. She could change them to some unknown value, simply to prevent the owner of the account from logging into it. On the other hand, she could change the password and then log into the account in order to gain the privileges associated with that account.

Could the attacker change a domain administrator's password?
Yes. Clearly, this is the most serious risk posed by the vulnerability. If the attacker changed a domain administrator's password, she could log into the administrator's account and gain administrative control of the domain.

What permissions would the attacker need in order to exploit the vulnerability?
The function containing the vulnerability can be called by any user, even ones that aren't domain members. As a result, virtually any user who was on the same side of the firewall as an affected server could exploit the vulnerability. However, users outside of the firewall would be unable to exploit the vulnerability, as long as the firewall blocked tcp port 636.

Could the vulnerability be used to change the passwords of local accounts on individual computers?
No. Local user accounts on individual computers are not stored in a directory, and can't be changed via LDAP. Only domain account passwords could be changed via this vulnerability.

I'm running Windows NT 4.0. Am I affected by the vulnerability?
No. Only Windows 2000 systems are affected and even then only if offering LDAP services over SSL.

I'm running Windows 2000. What machines should I apply the patch to?
The patch only needs to be installed Windows 2000 servers, and even then only on servers provide LDAP over SSL.

What does the patch do?
The patch eliminates the vulnerability by ensuring that the affected function only allows users to change data attributes that they are authorized to change.

Patch availability

Download locations for this patch

Additional information about this patch

Installation platforms:

This patch can be installed on systems running This patch can be installed on systems running Windows 2000 Service Pack 1 or Service Pack 2.

Inclusion in future service packs:

The fix for this issue will be included in Windows 2000 Service Pack 3.

Reboot needed: Yes

Superseded patches:

This patch supersedes the one provided in Microsoft Security Bulletin MS01-024.

Verifying patch installation:

  • To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q299687.

  • To verify the individual files, use the date/time and version information provided in the following registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q299687\Filelist.

Caveats:

None

Localization:

Localized versions of this patch are available from the download locations listed in the section titled "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

  • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
  • Patches for consumer platforms are available from the WindowsUpdate web site

Other information:

Acknowledgments

Microsoft thanks Jon McDonald, President Entrigue Systems Inc., (https://www.entrigue.net) for reporting this issue to us and working with us to protect customers.

Support:

  • Microsoft Knowledge Base article Q299687 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
  • Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (June 25, 2001): Bulletin Created.
  • V1.1 (July 09, 2001): Bulletin updated to advise that the patch supersedes the one provided in MS01-024.
  • V1.2 (February 28, 2003): Updated links in Frequently Asked Questions section.

Built at 2014-04-18T13:49:36Z-07:00