Reported July 24, 2002, by Microsoft.



  • Microsoft Metadirectory Services (MMS) 2.2




A flaw exists that could enable an unprivileged user to access and manipulate data within MMS that should, by design, be accessible only to MMS administrators. Specifically, an unprivileged user could connect to the MMS data repository by using a Lightweight Directory Access Protocol (LDAP) client in such a way as to bypass certain security checks. As a result, an attacker could modify data within the MMS data repository, for the purpose of either changing the MMS configuration or replicating bogus data to the other data repositories.




The vendor, Microsoft, has released Security Bulletin MS02-036 (Authentication Flaw in Microsoft Metadirectory Services Could Allow Privilege Elevation) to address this vulnerability and recommends that affected users download and apply the Service Pack mentioned in the security bulletin.


Discovered by Dan Pascal Huijbers and Thomas de Klerk of Info Support