Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:1263
HistoryFeb 09, 2001 - 12:00 a.m.

REVISION: @stake Advisory Notification: NetDDE Message Vulnerability (A020501-1)

2001-02-0900:00:00
vulners.com
28
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 * Please note revision section below *


                       @stake Inc.
                     www.atstake.com

                     Security Advisory

Advisory Name: NetDDE Message Vulnerability
Release Date: 02/05/2001
[Updated on 2/08/2001]
Application: Network DDE (system component)
Platform: Windows 2000 (up to and including Service Pack 1)
[Affects Professional, Server, Advanced Server,
Terminal Services and Citrix Metaframe configurations]
Severity: Any local user can obtain SYSTEM privileges
Author: DilDog ([email protected])
Vendor Status: Vendor has patch and bulletin
CVE: CAN-2001-015
Reference: www.atstake.com/research/advisories/2001/a020501-1.txt

Summary:

    Network DDE is a system service that is enabled in Windows 2000 by

default. Due to design flaws, it allows arbitrary commands to be executed
with SYSTEM user privileges.

    This is a privilege escalation vulnerability. Executing code with

SYSTEM privileges allows an attacker to have full administrative control
of the workstation or server. This vulnerability can be used by an
attacker to elevate privileges on a workstation or server where he or she
has the logon privileges as a normal user. It can also be used to
completely compromise a server when combined with another lesser
vulnerability that allows code execution as a low privileged user.

    When the "Network DDE DSDM" service is started, the WINLOGON

process creates an invisible window for inter-process communication with
various NetDDE components. The WINLOGON process is running as the SYSTEM
user. When a particular undocumented structure is passed to WINLOGON
through the "DDE Copy Data" window message mechanism, it can specify an
arbitrary command line to run in the WINLOGON context.

    This functionality is supposedly the back end by which trusted

service NetDDE shares have their server applications started automatically
when a NetDDE connection is requested but the server hasn't started yet.

Vendor Response:

    Microsoft has issued a bulletin describing this topic:
    http://www.microsoft.com/technet/security/bulletin/MS01-007.asp

    Microsoft has issued a patch:
    http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27526

Advisory Reference:

http://www.atstake.com/research/advisories/2001/a020501-1.txt

** The advisory contains additional information. We encourage those
** effected by this issue to read the advisory.
**
** All vulnerablity database maintainers should reference the above
** advisory reference URL to refer to this advisory.

Revisions:

02/05/2001: Initial Release
02/08/2001: Added additional vulnerable platforms: Windows 2000 Terminal

        Services and Citrix Metaframe.

Advisory policy: http://www.atstake.com/research/policy/
For more advisories: http://www.atstake.com/research/advisories/
PGP Key: http://www.atstake.com/research/pgp_key.asc

Copyright 2001 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBOoMfOlESXwDtLdMhEQIOmQCfS9dgz9Jc0Xyny+JhZR+7/QHZo0MAnipW
8p675HoiabYdzlY9dj+AhaJ6
=4vcT
-----END PGP SIGNATURE-----

JSON