Microsoft Windows RAS phonebook buffer overflow allows code execution
Risk
Medium
Date Discovered
06-12-2002
Description
The Remote Access Service (RAS) contains a buffer overflow that could allow malicious users to cause a denial of service or execute code.
RAS provides dial-up connections between computers or networks via phone lines. Windows NT/2000/XP all come with RAS, which includes a RAS PhoneBook that stores telephone numbers and security and network settings used for dial-up connections. Routing and Remote Access Services (RRAS) is a multi-protocol router add-on product that allows a Windows NT 4.0 server to perform routing functions such as server-to-server connections.
In the PhoneBook implementation, the code that reads PhoneBook values does not properly perform bounds checking of stored data. An attacker who can successfully access the targeted server can insert malicious data in a value stored in the vulnerable PhoneBook, and then initiate a connection using the modified value to cause a buffer overflow condition. Successful exploitation of this vulnerability could result in either a failure of the system or, if the malformed data is specifically formatted, arbitrary code execution on the server with system privileges.
An attacker must have appropriate credentials to log on to an affected computer to exploit this flaw. Additionally, a user with these privileges could remotely log on using remote access software applications.
To find out if your Terminal Server is running RRAS, view Properties for Network Neighborhood. On the Select Services tab, Routing and Remote Access Services is listed if RRAS is installed.
Platforms Affected
Windows
Components Affected
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows NT 4.0
Microsoft Windows NT, Terminal Server Edition 4.0
Recommendations
Best Practice - Least Privilege
Least Privilege requires that each subject be granted the most restrictive set of privileges needed for the performance of authorized tasks. Applying this principle will limit the damage that can result from either accident, error or unauthorized use of an information system.
Patch : Microsoft Windows NT 4.0 RAS phonebook patch Q318138
This patch eliminates the vulnerability by instituting proper input checking on the RAS phonebook entries.
The Windows NT 4.0 patch can be installed on systems running Service Pack 6a.
The Windows Routing and Remote Access Server patch can be installed on systems running Windows NT 4.0 Service Pack 6a (English only).
Verifying patch installation:
Windows NT 4.0 Service Pack 6a:
To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q318138
To verify the individual files, consult the file manifest in Knowledge Base article Q318138.
Patch : Microsoft Windows NT 4.0 Terminal Server RAS phonebook patch Q318138
Windows NT 4.0 Terminal Server Edition Service Pack 6:
To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q318138
To verify the individual files, consult the file manifest in Knowledge Base article Q318138.
Patch : Microsoft Windows 2000 RAS phonebook patch Q318138
The Windows 2000 patch can be installed on systems running Windows 2000 Service Pack 1 or Windows 2000 Service Pack 2.
To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q318138
To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q318138\Filelist
Patch : Microsoft Windows XP RAS phonebook patch Q318138
The patch for Windows XP can be installed on systems running Windows XP Gold.
To verify that the patch has been installed, confirm that the following registry key has been created on the machine:
HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q318138
To verify the individual files, use the date/time and version information provided in the following registry key: HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q318138\Filelist
Patch : Microsoft Windows XP RAS phonebook patch Q318138
The patch for Windows XP can be installed on systems running Windows XP Gold.
To verify that the patch has been installed, confirm that the following registry key has been created on the machine:
HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q318138
To verify the individual files, use the date/time and version information provided in the following registry key: HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q318138\Filelist
Patch : Microsoft Windows XP (w/64 bit encryption) RAS phonebook patch Q318138
Windows XP ia64 Security Patch: RAS Phonebook Buffer Overrun Vulnerability
This update resolves the "Unchecked Buffer in Remote Access Service Phonebook Could Lead to Code Execution" security vulnerability in Windows XP.
This is the result of an unchecked buffer in the Remote Access Service (RAS) Phonebook.
Windows XP Professional
Operating System - Windows XP 64-bit
HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q318138
To verify the individual files, use the date/time and version information provided in the following registry key: HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q318138\Filelist
References
Source: CVE CAN-2002-0366
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0366
Source: Microsoft MS02-029
URL: http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-029.asp
Copyright (c) 2009 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.
Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
|
