Reported June 08, 2001, by Microsoft.

VERSIONS AFFECTED

  • Microsoft Windows 2000, all versions

 

DESCRIPTION
Seven different vulnerabilities exist in the version of Telnet that Microsoft ships with Windows 2000. Two of these vulnerabilities relate to the way that Telnet handles the sessions that a user creates, and escalate the user's privilege. When a user establishes a new Telnet session, the service creates a named pipe, running any code that the Operating System associates with the session as part of the initialization process. Because the pipe’s name is predictable, Telnet knows to look for an existing pipe with that name. A potential attacker who has the ability to load and run code on the server can create the pipe and associate a program with it. The Telnet service would run the attacker's code in Local System context when the service establishes the next session.

 

Four of these vulnerabilities let an attacker create Denial of Service (DoS) attacks and are completely different in scope from each other.

 

·         The first type of attack prevents Telnet from terminating idle sessions. An attacker can create a number of idle sessions that deny access to any other user.

·         When Telnet terminates a session in a certain way, a handle leak occurs. By repeatedly starting sessions and killing them, an attacker can deplete the supply of handles on the server and prevent users from establishing new sessions.

·         A malformed logon command can cause an access violation in the Telnet service.

·         A malicious attacker can make a system call by using typical user privileges and terminating a Telnet session.

 

The seventh vulnerability involves information disclosure that makes it easier for an attacker to enumerate Guest accounts exposed by using the Telnet server. It's similar in scope to the FTP vulnerability that MS01-026 discloses.

 

VENDOR RESPONSE

The vendor, Microsoft, acknowledges these vulnerabilities and recommends that users immediately apply the patch mentioned in Security Bulletin MS01-031. For Windows 2000 Datacenter Server users, the patches are hardware specific, and users should contact the original equipment manufacturer.

 

CREDIT
Discovered by Guardent, Peter Gründl, Richard Reiner and Bindview’s Razor team.