Published:

07 February 2002

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2002.064 

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

           ESB-2002.064 -- Microsoft Security Bulletin MS02-004
 Unchecked Buffer in Telnet Server Could Lead to Arbitrary Code Execution
                              8 February 2002

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                Telnet Service in Microsoft Windows 2000
                        Telnet Daemon in Microsoft Interix 2.2
Vendor:                 Microsoft
Impact:                 Denial of Service
                        Execute Arbitrary Code/Commands
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

- - -
- - ----------------------------------------------------------------------
Title:      Unchecked Buffer in Telnet Server Could Lead to Arbitrary
            Code Execution
Date:       07 February 2002
Software:   Telnet Service in Microsoft Windows 2000; Telnet 
            Daemon in Microsoft Interix 2.2
Impact:     Denial of Service; Possibly Run Code of Attacker's Choice
Max Risk:   Moderate
Bulletin:   MS02-004

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS02-004.asp.
- - -
- - ----------------------------------------------------------------------

Issue:
======
The Telnet protocol provides remote shell capabilities. Microsoft has
implemented the Telnet protocol by providing a Telnet Server in
several products. The implementations in two of these products 
- - - - Windows 2000 and Interix 2.2 - contain unchecked buffers in the
code that handles the processing of telnet protocol options. 

An attacker could use this vulnerability to perform a buffer
overflow attack. A successful attack could cause the Telnet Server
to fail, or in some cases, could possibly allow an attacker to
execute code of her choice on the system. Such code would execute
using the security context of the Telnet service, but this context
varies from product to product. In Windows 2000, the Telnet service
always runs as System; in the Interix implementation, the
administrator selects the security context in which to run as part
of the installation process. 

Mitigating Factors:
====================
 - While the Telnet Service in Windows 2000 is installed by default,
   it is not running by default. As a result, a Windows 2000 system
   would only be vulnerable if the administrator had started the
   service 

 - Remotely exploiting this vulnerability would require the attacker
   to have the ability to connect to the Telnet Server. Best
   practices recommends against allowing Telnet access on
   uncontrolled networks. 

 - The Telnet Daemon in Interix 2.2 is not installed by default when
   Interix 2.2 is installed. An administrator would have to choose 
   to install and configure this feature.

 - The Telnet Daemon in Interix does not specify a security context
   by default. The administrator specifies the security context when
   they configure or run the daemon. Best practices recommend that
   the Telnet Daemon run in a context of least privilege, meaning
   that it have only those rights necessary and no more. 

Risk Rating:
============
 - Internet systems: Moderate
 - Intranet systems: Moderate
 - Client systems: Moderate

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-004.asp
   for information on obtaining this patch.


- - -
- - ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT 
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES 
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF 
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS 
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO 
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR 
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPGMy/40ZSRQxA/UrAQHWRQgAoU4jNlmYZyo1bh+diOeH0Xq5xUjM3bPH
3XL2ldr6kjzJuJBLBmiSfFyxIerQ5aQoDawnf19pzXeTJgHFNBUqA4dBtfIPyCQM
EWGOkxRzWH/hPdZ+buQG7tlwLtcsDLgzhT2aJoVJFyqwxLPTtBWJJgR8ncrv8Jsv
EEAMGtXNwG1CpVgYm1pxXn/1xr1X3OysRhsGfjr0OeDSb/sHSiXtuIWB71ZqU9RN
drtgUA28uMyvzD5tw3v8uGxBo1Ct3i8FV+J2UPeXFxT/ZiZKax4I5HmzVhzjEfE2
vSUzTPIRKW9qrNvTgbrHgPG8C4ZX09ngfSb6vICF4akEyGt4TB7NCw==
=0sRz
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBPGP7nih9+71yA2DNAQG4nAP+IncCsqAkEtyZbbcr49dPMf7ltXj1BW8Y
3CfXTTfJy9/NxArgIppf4gbZu5MnrJY1IeNR3PRrZrQ67L8IreO5gfNtuhrSxxb0
CySskfuJFzLVlF9CnsFkMl0AHH+GXiYZ3iE38XX017uUYcv7XIRrYWl+bxBgJrxI
RCyxahrWISY=
=/NS7
-----END PGP SIGNATURE-----