Unchecked Buffer in Remote Access Service Phonebook Could Lead to Code Execution
16 Jun. 2002
The Remote Access Service (RAS) provides dial-up connections between computers and networks over phone lines. RAS is delivered as a native system service in Windows NT 4.0, Windows 2000 and Windows XP, and also is included in a separately downloadable Routing and Remote Access Server (RRAS) for Windows NT 4.0. All of these implementations include a RAS phonebook, which is used to store information about telephone numbers, security, and network settings used to dial-up remote systems.
A flaw exists in the RAS phonebook implementation: a phonebook value is not properly checked, and is susceptible to a buffer overrun. The overrun could be exploited for either of two purposes: causing a system failure, or running code on the system with LocalSystem privileges. If an attacker were able to log onto an affected server and modify a phonebook entry using an especially malformed data, then made a connection using the modified phonebook entry, the especially malformed data could be run as code by the system.
* Microsoft Windows NT 4.0
* Microsoft Windows NT 4.0 Terminal Server Edition
* Microsoft Windows 2000
* Microsoft Windows XP
* Microsoft Routing and Remote Access Server, which can be installed on Windows NT 4.0 Service Pack 6 or NT 4.0 Terminal Server Edition Service Pack 6.
* The vulnerability could only be exploited by an attacker who had the appropriate credentials to log onto an affected system.
* Best practices suggests that unprivileged users not be allowed to interactively log onto business-critical servers. If this recommendation has been followed machines such as domain controllers, ERP servers, print and file servers, database servers, and others would not be at risk from this vulnerability.
What's the scope of the vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully exploited this vulnerability could gain complete control over the machine, thereby gaining the ability to take any desired action on the machine, such as adding, deleting, or modifying data on the system, creating or deleting user accounts, and adding accounts to the local administrators group.
The vulnerability could only be exploited by an attacker who had credentials to log onto the computer where the RAS phonebook is held. Best practices suggest that unprivileged users not be allowed to interactively log onto business-critical servers; if this guidance has been followed, such servers would not be at risk from this vulnerability.
What causes the vulnerability?
The vulnerability results because of an unchecked buffer in the Remote Access Service Phonebook. By creating an especially malformed phonebook entry, it could be possible to conduct a buffer overrun attack against an affected system.
What is the Remote Access Service?
The Remote Access Service lets users connect to a remote computer over phone lines, so they can work as if their system were physically connected to the remote network. These services enable remote users to do activities such as send and receive e-mail, fax documents, retrieve files, and print documents on an office printer.
The Remote Access Service is a native service in Windows NT 4.0, Windows 2000 and XP. In addition, a separately downloadable Routing and Remote Access Service (RRAS, also known as Steelhead) is available for Windows NT 4.0 and Windows NT 4.0 Terminal Server Edition, and it also includes a RAS implementation.
What is the Remote Access Service Phonebook?
The RAS phonebook is used to keep information that describes sites that can be connected to using dial-up networking via RAS. A phonebook entry contains information about the dial-up phone number, security, and network settings.
For example, if we were to create a phonebook entry for "Office computer", we might say that the phone number for the remote computer is "555-1837", and that the PPP protocol should be used to dial the computer. We might also specify the TCP/IP address for our computer and that the default gateway should be used.
What's wrong with the RAS phonebook?
There is an unchecked buffer in the code that reads the RAS phonebook entries.
What would this vulnerability enable an attacker to do?
The attacker could use this vulnerability for either of two purposes:
* Privilege elevation on the system. By overrunning the buffer with carefully selected data, it would be possible for the attacker to run code in the context of the LocalSystem account, that is, as the operating system itself.
* Denial of service. By overrunning the buffer with random data, the attacker could cause services or the server itself to fail.
How might an attacker exploit the vulnerability?
The attacker could logon to the computer that holds the RAS phonebook and then modify an entry in the phonebook with an especially malformed data. The attacker could then logout, and logon using the modified dial-up entry. The RAS system would read the modified dial-up entry from the phonebook and the malformed data would be used.
Alternately, the attacker could modify and existing phonebook entry and then wait for another user to attempt to connect to a remote computer using the modified dial-up entry.
Who could exploit the vulnerability?
Anyone who could log onto the system interactively. Best practices suggest that unprivileged users not be allowed to interactively log onto business-critical servers. If best practices are followed, then it is workstations and terminal servers that would chiefly be at risk.
I use Windows NT 4.0, and I see that there are two patches for it. Which should I apply?
If you have installed RRAS on Windows NT 4.0 you should apply the RRAS version of this fix. If you haven't applied RRAS on Windows NT 4.0 then you should apply the standard RAS fix. The same is true for RRAS on Windows NT 4.0 Terminal Server Edition.
I don't know whether RRAS is installed on my system. How can I tell?
To see if RRAS is installed on Windows NT 4.0, go to Network Neighborhood and select the Services tab from Properties. If the "Routing and Remote Access Service" is listed then RRAS has been installed.
What does the patch do?
The patch eliminates the vulnerability by instituting proper input checking on the RAS phonebook entries.