Security 10816 Published by

Issue:
======
This bulletin discusses a total of seven vulnerabilities affecting the Windows 2000 Telnet service. The vulnerabilities fall into three broad categories: privilege elevation, denial of service and information disclosure.

Two of the vulnerabilities could allow privilege elevation, and have their roots in flaws related to the way Telnet sessions are created. When a new Telnet session is established, the service creates a named pipe, and runs any code associated with it as part of the initialization process. However, the pipe´s name is predictable, and if Telnet finds an existing pipe with that name, it simply uses it. An attacker who had the ability to load and run code on the server could create the pipe and associate a program with it, and the Telnet service would run the code in Local System context when it stablished the next Telnet session.

Four of the vulnerabilities could allow denial of service attacks. None of these vulnerabilities have anything in common with each other.

- One occurs because it is possible to prevent Telnet from terminating idle sessions; by creating a sufficient number of such sessions, an attacker could deny sessions to any other user.

- One occurs because of a handle leak when a Telnet session is terminated in a certain way. By repeatedly starting sessions and then terminating them, an attacker could deplete the supply of handles on the server to point where it could no longer perform useful work.

- One occurs because a logon command containing a particular malformation causes an access violation in the Telnet service.

- One occurs because a system call can be made using only normal user privileges, which has the effect of terminating a Telnet session.

The final vulnerability is an information disclosure vulnerability that could make it easier for an attacker to find Guest accounts exposed via the Telnet server. It has exactly the same cause, scope and effect as a vulnerability affecting FTP and discussed in Microsoft Security Bulletin MS01-026.

Download