-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

           ESB-2001.261 -- Microsoft Security Bulletin MS01-036
  Function Exposed via LDAP over SSL Could Enable Passwords to be Changed
                               27 June 2001

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                LDAP Server
Vendor:                 Microsoft
Operating System:       Windows 2000
Impact:                 Increased Privileges
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

- - ----------------------------------------------------------------------
Title:      Function Exposed via LDAP over SSL Could Enable 
            Passwords to be Changed
Date:       25 June 2001
Software:   Windows 2000
Impact:     Privilege Elevation
Bulletin:   MS01-036

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS01-036.asp.
- - ----------------------------------------------------------------------

Issue:
======
This vulnerability involves an LDAP function that is only available
if 
the LDAP server has been configured to support LDAP over SSL
sessions, 
and whose purpose is to allow users to change the data attributes of 
directory principals. By design, the function should check the 
authorizations of the user before completing the request; however, it
contains an error that manifests itself only when the directory 
principal is a domain user and the data attribute is the domain 
password -- when this is the case, the function fails to check the 
permissions of the requester, with the result that it could be
possible 
for a user to change any other user's domain login password. 

An attacker could change another user's password for either of two 
purposes: to cause a denial of service by preventing the other user 
from logging on, or in order to log into the user's account and gain 
any privileges the user had. Clearly, the most serious case would be 
one in which the attacker changed a domain administrator's password
and 
logged into the administrator's account. 

By design, the function affected can be called by any user who can 
connect to the LDAP server, including users who connect via anonymous
sessions. As a result, any user who could establish a connection with
an affected server could exploit the vulnerability. 

Mitigating Factors:
====================
 - LDAP over SSL sessions cannot be conducted unless the 
   administrator has installed a digital certificate on the LDAP
   server. As a result, default installations of Windows 2000
   are not affected by this vulnerability. 
 - If the firewall is configured to block tcp port 636, the
   vulnerability could not be exploited by outside users. 
 - This vulnerability could not be used to change the password 
   of local user accounts on individual machines. 

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin
   http://www.microsoft.com/technet/security/bulletin/ms01-036.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - Jon McDonald (http://www.entrigue.net)  
 - Russ Cooper (http://www.ntbugtraq.com)

- - ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED 
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF 
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL 
MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES 
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS 
OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. 
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
NOT 
APPLY.



- -----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBOzfaRo0ZSRQxA/UrAQE22gf/W+GD69o8ARA8tPFFJ1hEEa+ISUCqzsad
KCozn4q15zGvZZnM4INxaiD5tPZKkJWIyx8+w5V4AdgTJDLF2YW8ADdk7Dpt1gk9
bOMkr9ipsX5qP5eD3c2cOj+kIQUKQ4Ql5UOW2l6HvrRZUXHyL9sHPpK1+1vwej2z
E9/x0VTDDKu3uc3KTHFFTVbgIfibT4z3zcZUDC0omH8oU+3eNjYwn343ATd+LXMx
Hpsrhrq/gvZc98FYEOW0Re9kHoGuLkDWqdtz63xOxziHjliASPpxsxmJ71bAx0v4
bVuQYQQ+AZklgYwzYDkCfciTfOjjRvi82whlzMDur/t6UtwW3Fe1Zg==
=QExj
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOzmvKyh9+71yA2DNAQHTTgP9FxRjPZhGZ4vKDPzjzAudt0+XVE1T/PJx
eaKhJYcgbHHmCU47eRTnmdctSHkzTspBupwqC2tVMEFv9whhYxtfQQXBolkNj1UT
cJVX09rFOJA9CBulYeYHO0XI/CXBWYcRnd6KV9QSXfswrdH+cAT1w13S+k3gBOcg
zfSm5RzzOfk=
=bGFv
-----END PGP SIGNATURE-----