Microsoft Security Bulletin MS00-053 - Critical
Patch Available for 'Service Control Manager Named Pipe Impersonation' Vulnerability
Published: August 02, 2000
Originally posted: August 2, 2000
Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Windows 2000® The vulnerability could allow a user logged onto a Windows 2000 machine from the keyboard to become an administrator on the machine.
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
Vulnerability Identifier: CVE-2000-0737
The Service Control Manager (services.exe) is an administrative tool provided in Windows 2000 that allows system services (Server, Workstation, Alerter, ClipBook, etc.) to be created or modified. The SCM creates a named pipe for each service as it starts, however, should a malicious program predict and create the named pipe for a specific service before the service starts, the program could impersonate the privileges of the service. This could allow the malicious program to run in the context of the given service, with either specific user or LocalSystem privileges.
The primary risk from this vulnerability is that a malicious user could exploit this vulnerability to gain additional privileges on the local machine. A malicious user would require the ability to log onto the target machine interactively and run arbitrary programs in order to exploit this vulnerability, and as a result, workstations and terminal servers would be at greatest risk.
What's this bulletin about?
Microsoft Security Bulletin MS00-053 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows 2000®. The vulnerability could allow a user to gain inappropriate privileges on a Windows 2000 machine. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a privilege elevation vulnerability. A malicious user who could interactively log on to a Windows 2000 machine and run a program could pose as any other user on the machine, including the administrator or the system itself.
The machines most likely to be affected by this vulnerability are Windows 2000 Professional workstations and terminal servers, because they typically allow normal users to interactively log onto them. Security-critical machines such as domain controllers, ERP servers, print and file servers, and SQL servers typically do not allow normal users to interactively log onto them and, if this were the case, would not be at risk from this vulnerability.
The vulnerability would allow a Guest user or normal user to assume any desired level of privilege on the machine that was compromised. In the case of a compromised workstation, it's likely that the malicious user could not extend control to the rest of the network. However, if he or she compromised a domain controller, he or she would gain de facto control of the domain.
What causes the vulnerability?
A flaw in the Service Control Manager (SCM) function that creates named pipes for system services could allow a malicious user to execute arbitrary code in the security context of a specific service.
The SCM creates a server-side named pipe for each service prior to starting the service. The names assigned to the named pipes are in a predictable sequence and therefore, could allow a malicious user could guess the name of the next instance of a particular service, and create a server-side named pipe for that service. The next time the specific service was started it would execute malicious code attached to the newly created named pipe. The malicious code would be executed within the security context normally assigned to that service. Services typically execute with LocalSystem privileges, but may also be executed under the security context of a particular predefined user account.
What is the Service Control Manager?
The Service Control Manager is an administrative tool provided in Windows 2000 that allows system services to be created or modified.
What are named pipes?
Pipes allow processes to communicate with each other. A pipe is an area of memory that two or more processes share. When Process A wants to communicate with Process B, it puts data into the shared memory and sets a semaphore telling Process B to read it. There are two types of pipes:
- Anonymous pipes, which allow one-way communication from a parent process to a child process. They can only exist locally.
- Named pipes, which allow bi-directional communication between multiple processes. The processes can reside on different machines.
Is this a vulnerability within specific Windows 2000 services?
No, there is no problem with Windows 2000 services per se. The flaw is entirely within the Service Control Manager function for creating named pipes for services.
What would this vulnerability let a malicious user do?
A malicious user could could gain additional privileges on the local machine. For instance, he or she could add himself or herself to the local Administrators group, after which point they could take any desired action on the machine.
Could this vulnerability be exploited accidentally?
No. Exploiting this vulnerability requires a very specific series of steps that have no legitimate purpose. They would only be taken by a malicious user hoping to exploit this vulnerability.
Could this vulnerability be exploited remotely?
No. As discussed above, the specific function at issue here can only be used to create service named pipes on the local machine, so a malicious user could only use it to attack a machine that he or she can log onto interactively.
What machines are at greatest risk from this vulnerability?
Machines that allow normal users to interactively log onto them and run arbitrary programs are at greatest risk from this vulnerability. The machines primarily at risk would be Windows NT 2000 Professional workstations and terminal servers.
If recommended security practices are followed, security-critical servers such as domain controllers, ERP servers, print and file servers, database servers, and web servers would not allow normal users to interactively log onto them, and hence would not be at risk.
What risk does this vulnerability pose to my network?
The vulnerability would allow a malicious user to assume any desired level of privilege on the specific machine that he or she compromised. The risk to the network at large would depend on the role that the machine plays on the network. If a workstation or terminal server were compromised, it would likely pose little risk to the network at large. By default, even a local administrator has no special domain privileges.
However, if a domain controller or other machine that stores domain administrative information locally were compromised, the malicious user could take advantage of it to extend control beyond the local machine. This is, however, a bit of a chicken-and-egg issue. The presence of domain administrative information on such machines is the primary reason why recommended security practices militate against giving normal users the ability to interactively onto them.
What does the patch do?
The patch changes the method in which the SCM creates and allocates named pipes and prevents other process from performing the operations described above.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.
How do I use the patch?
Knowledge Base article Q269523 contains detailed instructions for applying the patch.
How can I tell if I installed the patch correctly?
The Knowledge Base article Q269523 provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article
What is Microsoft doing about this issue?
Microsoft has delivered a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article Q269523 explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
Download locations for this patch
- Windows 2000: http://www.microsoft.com/downloads/details.aspx?FamilyId=CF0D00F5-2552-4CA2-B2F4-615FBD7EB2FD&displaylang=en
Additional information about this patch
Installation platforms: Please see the following references for more information related to this issue.
- Microsoft Knowledge Base article Q269523 discusses this issue.
Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/contactussupport/?ws=support .
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- August 2, 2000: Bulletin Created.
Built at 2014-04-18T13:49:36Z-07:00