-----BEGIN PGP SIGNED MESSAGE----- - - - ---------------------------------------------------------------------- Title: Unchecked Buffer in Telnet Server Could Lead to Arbitrary Code Execution Date: 07 February 2002 Software: Telnet Service in Microsoft Windows 2000; Telnet Daemon in Microsoft Interix 2.2 Impact: Denial of Service; Possibly Run Code of Attacker's Choice Max Risk: Moderate Bulletin: MS02-004 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS02-004.asp. - - - ---------------------------------------------------------------------- Issue: ====== The Telnet protocol provides remote shell capabilities. Microsoft has implemented the Telnet protocol by providing a Telnet Server in several products. The implementations in two of these products - - - Windows 2000 and Interix 2.2 - contain unchecked buffers in the code that handles the processing of telnet protocol options. An attacker could use this vulnerability to perform a buffer overflow attack. A successful attack could cause the Telnet Server to fail, or in some cases, could possibly allow an attacker to execute code of her choice on the system. Such code would execute using the security context of the Telnet service, but this context varies from product to product. In Windows 2000, the Telnet service always runs as System; in the Interix implementation, the administrator selects the security context in which to run as part of the installation process. Mitigating Factors: ==================== - While the Telnet Service in Windows 2000 is installed by default, it is not running by default. As a result, a Windows 2000 system would only be vulnerable if the administrator had started the service - Remotely exploiting this vulnerability would require the attacker to have the ability to connect to the Telnet Server. Best practices recommends against allowing Telnet access on uncontrolled networks. - The Telnet Daemon in Interix 2.2 is not installed by default when Interix 2.2 is installed. An administrator would have to choose to install and configure this feature. - The Telnet Daemon in Interix does not specify a security context by default. The administrator specifies the security context when they configure or run the daemon. Best practices recommend that the Telnet Daemon run in a context of least privilege, meaning that it have only those rights necessary and no more. Risk Rating: ============ - Internet systems: Moderate - Intranet systems: Moderate - Client systems: Moderate Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms02-004.asp for information on obtaining this patch. - - - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBPGMy/40ZSRQxA/UrAQHWRQgAoU4jNlmYZyo1bh+diOeH0Xq5xUjM3bPH 3XL2ldr6kjzJuJBLBmiSfFyxIerQ5aQoDawnf19pzXeTJgHFNBUqA4dBtfIPyCQM EWGOkxRzWH/hPdZ+buQG7tlwLtcsDLgzhT2aJoVJFyqwxLPTtBWJJgR8ncrv8Jsv EEAMGtXNwG1CpVgYm1pxXn/1xr1X3OysRhsGfjr0OeDSb/sHSiXtuIWB71ZqU9RN drtgUA28uMyvzD5tw3v8uGxBo1Ct3i8FV+J2UPeXFxT/ZiZKax4I5HmzVhzjEfE2 vSUzTPIRKW9qrNvTgbrHgPG8C4ZX09ngfSb6vICF4akEyGt4TB7NCw== =0sRz -----END PGP SIGNATURE----- ******************************************************************* You have received this e-mail bulletin as a result of your subscription to the Microsoft Product Security Notification Service. For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. To cancel your subscription, click on the following link mailto:1_25284_F42BB5EB-DBF5-4A61-81B6-D5AAACAC564D_US@Newsletters.Microsoft.com?subject=UNSUBSCRIBE to create an unsubscribe e-mail. To stop all e-mail newsletters from microsoft.com, click on the following link mailto:2_25284_F42BB5EB-DBF5-4A61-81B6-D5AAACAC564D_US@Newsletters.Microsoft.com?subject=STOPMAIL to create an unsubscribe e-mail. You can manage all your Microsoft.com communication preferences from http://www.microsoft.com/misc/unsubscribe.htm For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.