Computer Security
[EN] securityvulns.ru no-pyccku


Related information

  Microsoft RAS Phonebook buffer overflow

  Microsoft RASAPI32.DLL

  @stake Advisory: IIS 4.0/5.0 Phone Book server buffer overrun (A120400-1)

  Security Bulletin (MS00-094)

  [CORE SDI ADVISORY] MS Windows NT4 and Windows 2000 Phonebook Service overflow

From:MICROSOFT <secure_(at)_microsoft.com>
Date:13.06.2002
Subject:Security Bulletin MS02-029: Unchecked Buffer in Remote Access Service Phonebook Could Lead to Code Execution (Q318138)

- ----------------------------------------------------------------------
Title:      Unchecked Buffer in Remote Access Service Phonebook Could
           Lead to Code Execution (Q318138)
Date:       12 June 2002
Software:   Windows NT 4.0, NT 4.0 Terminal Server Edition, 2000, XP,
           Routing and Remote Access Server (RRAS)
Impact:     Local Privilege Escalation
Max Risk:   Critical
Bulletin:   MS02-029

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-029.asp.
- ----------------------------------------------------------------------

Issue:
======
The Remote Access Service (RAS) provides dial-up connections between
computers and networks over phone lines. RAS is delivered as a native
system service in Windows NT 4.0, Windows 2000 and Windows XP, and
also is included in a separately downloadable Routing and Remote
Access Server (RRAS) for Windows NT 4.0. All of these implementations
include a RAS phonebook, which is used to store information about
telephone numbers, security, and network settings used to dial-up
remote systems.

A flaw exists in the RAS phonebook implementation: a phonebook value
is not properly checked, and is susceptible to a buffer overrun. The
overrun could be exploited for either of two purposes: causing a
system failure, or running code on the system with LocalSystem
privileges. If an attacker were able to log onto an affected server
and modify a phonebook entry using specially malformed data, then
made a connection using the modified phonebook entry, the specially
malformed data could be run as code by the system.


Mitigating Factors:
====================
- The vulnerability could only be exploited by an attacker who had
  the appropriate credentials to log onto an affected system.

- Best practices suggests that unprivileged users not be allowed to
  interactively log onto business-critical servers. If this
  recommendation has been followed machines such as domain  
  controllers, ERP servers, print and file servers, database
  servers, and others would not be at risk from this vulnerability.
  

Risk Rating:
============
- Internet systems: Low
- Intranet systems: Critical
- Client systems: Moderate

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
  Security Bulletin at
  http://www.microsoft.com/technet/security/bulletin/ms02-029.asp
  for information on obtaining this patch.

Acknowledgment:
===============
- David Litchfield of Next Generation Security Software Ltd.
  (http://www.nextgenss.com/)

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT
ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod