Title: Unchecked Buffer in Remote Access Service Phonebook Could Lead to Code Execution (Q318138)
Released: 12 June 2002
Revised: 02 July 2002 (Version 2.0) Software: Windows NT 4.0, NT 4.0 Terminal Server Edition, 2000, XP, Routing and Remote Access Server (RRAS)
Impact: Local Privilege Escalation
Max Risk: Critical Read more...
On June 12, 2002, Microsoft released the original version of this bulletin. On July 2, 2002, the bulletin was updated to reflect the availability of a revised patch. Although the original patch completely eliminated the vulnerability, it had the side effect of preventing non-administrative users from making VPN connections in some cases. The revised patch correctly handles VPN connections. The revised patch is immediately available from the Download Center and will be soon made available via WindowsUpdate. The Remote Access Service (RAS) provides dial-up connections between computers and networks over phone lines. RAS is delivered as a native system service in Windows NT 4.0, Windows 2000 and Windows XP, and also is included in a separately downloadable Routing and Remote Access Server (RRAS) for Windows NT 4.0. All of these implementations include a RAS phonebook, which is used to store information about telephone numbers, security, and network settings used to dial-up remote systems. A flaw exists in the RAS phonebook implementation: a phonebook value is not properly checked, and is susceptible to a buffer overrun. The overrun could be exploited for either of two purposes: causing a system failure, or running code on the system with LocalSystem privileges. If an attacker were able to log onto an affected server and modify a phonebook entry using specially malformed data, then made a connection using the modified phonebook entry, the specially malformed data could be run as code by the system. Download locations for this patch Microsoft Windows NT 4.0:
http://www.microsoft.com/ntserver/nts/downloads/security/q318138/default.asp Microsoft Windows NT 4.0 running RRAS (English Only):
http://www.microsoft.com/ntserver/nts/downloads/security/q318138/default.asp Microsoft Windows NT 4.0 Terminal Server Edition:
http://www.microsoft.com/ntserver/terminalserver/downloads/security/q318138/default.asp Microsoft Windows NT 4.0 Terminal Server Edition running RRAS (English Only):
http://www.microsoft.com/ntserver/terminalserver/downloads/security/q318138/default.asp Microsoft Windows 2000:
http://www.microsoft.com/windows2000/downloads/security/q318138/default.asp Microsoft Windows XP:
http://www.microsoft.com/downloads/release.asp?ReleaseID=38833 Microsoft Windows XP 64-bit Edition:
http://www.microsoft.com/downloads/release.asp?ReleaseID=39011
Released: 12 June 2002
Revised: 02 July 2002 (Version 2.0) Software: Windows NT 4.0, NT 4.0 Terminal Server Edition, 2000, XP, Routing and Remote Access Server (RRAS)
Impact: Local Privilege Escalation
Max Risk: Critical Read more...
On June 12, 2002, Microsoft released the original version of this bulletin. On July 2, 2002, the bulletin was updated to reflect the availability of a revised patch. Although the original patch completely eliminated the vulnerability, it had the side effect of preventing non-administrative users from making VPN connections in some cases. The revised patch correctly handles VPN connections. The revised patch is immediately available from the Download Center and will be soon made available via WindowsUpdate. The Remote Access Service (RAS) provides dial-up connections between computers and networks over phone lines. RAS is delivered as a native system service in Windows NT 4.0, Windows 2000 and Windows XP, and also is included in a separately downloadable Routing and Remote Access Server (RRAS) for Windows NT 4.0. All of these implementations include a RAS phonebook, which is used to store information about telephone numbers, security, and network settings used to dial-up remote systems. A flaw exists in the RAS phonebook implementation: a phonebook value is not properly checked, and is susceptible to a buffer overrun. The overrun could be exploited for either of two purposes: causing a system failure, or running code on the system with LocalSystem privileges. If an attacker were able to log onto an affected server and modify a phonebook entry using specially malformed data, then made a connection using the modified phonebook entry, the specially malformed data could be run as code by the system. Download locations for this patch Microsoft Windows NT 4.0:
http://www.microsoft.com/ntserver/nts/downloads/security/q318138/default.asp Microsoft Windows NT 4.0 running RRAS (English Only):
http://www.microsoft.com/ntserver/nts/downloads/security/q318138/default.asp Microsoft Windows NT 4.0 Terminal Server Edition:
http://www.microsoft.com/ntserver/terminalserver/downloads/security/q318138/default.asp Microsoft Windows NT 4.0 Terminal Server Edition running RRAS (English Only):
http://www.microsoft.com/ntserver/terminalserver/downloads/security/q318138/default.asp Microsoft Windows 2000:
http://www.microsoft.com/windows2000/downloads/security/q318138/default.asp Microsoft Windows XP:
http://www.microsoft.com/downloads/release.asp?ReleaseID=38833 Microsoft Windows XP 64-bit Edition:
http://www.microsoft.com/downloads/release.asp?ReleaseID=39011
