|
Brought to you by:
Suppliers of:
|
|
|
| |
| If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges. However, user interaction is required to exploit this vulnerability. |
| |
Credit:
The information has been provided by Microsoft Product Security.
The original article can be found at: http://www.microsoft.com/technet/security/bulletin/MS04-043.mspx
|
| |
Vulnerable Systems:
* Microsoft Windows NT Server 4.0 Service Pack 6a - Download the update
* Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 - Download the update
* Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4 - Download the update
* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 - Download the update
* Microsoft Windows XP 64-Bit Edition Service Pack 1 - Download the update
* Microsoft Windows XP 64-Bit Edition Version 2003 - Download the update
* Microsoft Windows Server 2003 - Download the update
* Microsoft Windows Server 2003 64-Bit Edition - Download the update
Immune Systems:
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
CVE Information:
CAN-2004-0568 - HyperTerminal Vulnerability
HyperTerminal Vulnerability
A remote code execution vulnerability exists in HyperTerminal because of a buffer overrun. An attacker could exploit the vulnerability by constructing a malicious HyperTerminal session file that could potentially allow remote code execution. An attacker could then persuade a user to open this file. This vulnerability could attempt to be exploited through a malicious Telnet URL if HyperTerminal has been set as the default Telnet client. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, user interaction is required to exploit this vulnerability
Mitigating Factors for HyperTerminal Vulnerability
* By default, Windows Server 2003 does not install HyperTerminal. An administrator must manually install HyperTerminal. If HyperTerminal is installed, it is not set as the preferred Telnet client by default. However, it is still vulnerable to this issue through a specially-crafted HyperTerminal session file.
* By default, Windows XP, Windows 2000 Server, and Windows NT 4.0 Server do not set HyperTerminal as the preferred Telnet client. However, they are still vulnerable to this issue through a specially-crafted HyperTerminal session file.
* HyperTerminal, when used on Windows NT 4.0 cannot be set as the default Telnet client. However, Windows NT 4.0 is still vulnerable to this issue through a specially-crafted HyperTerminal session file.
* Email management best practices that discourage users from opening file attachments with file extensions that are not familiar or that discourage users from opening file attachments from untrusted sources would help to mitigate this vulnerability. The affected file extension (.ht) is not normally used in email and should be treated with caution.
* In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. If HyperTerminal has not been set as the default Telnet client, after they click the link, they would be prompted to perform several actions. An attack could only occur after they performed these actions. If HyperTerminal has been set as the default Telnet client, no additional user interaction is required after the user clicks the link that an attacker provides.
* An attacker who successfully exploited this vulnerability could gain the same privileges as the user. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges.
Workarounds for HyperTerminal Vulnerability
* Do not open or save HyperTerminal Session files (.ht files) that you receive from untrusted sources
This vulnerability could be exploited when a user views an .ht file. Do not open files that use this file name extension. Also, these steps do not prevent attacks that occur by using Telnet URLs if HyperTerminal has been set as the default Telnet client.
* Help prevent e-mail attacks by blocking HyperTerminal session files (.ht files)
This vulnerability could be exploited when a user views an .ht file. To help block these files by using Outlook and Outlook Express, see Microsoft Knowledge Base Article 837388 and Microsoft Knowledge Base Article 291387. Enterprise customers should consider adding HyperTerminal Session files (.ht files) to the list of unsafe files that are blocked by enterprise gateway e-mail filters.
Note When you block HyperTerminal session files (.ht files) through e-mail, you are not preventing attacks that use Telnet URLs if HyperTerminal has been set as the default Telnet client.
* Disable the handler for HyperTerminal session files (.ht files) by removing the following key:
HKEY_CLASSES_ROOT\htfile
If HyperTerminal cannot be removed, delete this key to help reduce attacks. This workaround helps reduce attacks by preventing HyperTerminal from automatically opening HyperTerminal session files (.ht files).
Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.
Note Microsoft recommends backing up the registry before you edit it.
* Click Start, click Run, type "regedt32" (without the quotation marks), and then click OK.
* In Registry Editor, locate the following registry key: HKEY_CLASSES_ROOT\htfile
* Click on htfile, and then press the Delete key on the keyboard.
* In the Confirm Key Delete dialog box, click OK. For Windows NT 4.0 Server: In the Warning dialog box, click Yes.
Impact of Workaround: HyperTerminal session files (.ht files) must be opened manually from within HyperTerminal. Also, these steps do not prevent attacks that occur by using Telnet URLs if HyperTerminal has been set as the default Telnet client.
Un-register the HyperTerminal client as the default Telnet client
If HyperTerminal cannot be removed, to help prevent attacks that use Telnet URLs, make sure that HyperTerminal has not be set as the default Telnet client. The following steps can help you determine whether HyperTerminal has been set as the default Telnet client. These steps also describe how to un-register HyperTerminal.
* Click Start, click Run, type "regedt32" (without the quotation marks), and then click OK.
* In Registry Editor, locate the following registry key: HKEY_CLASSES_ROOT\telnet\shell\open\command
* If the value C:\Program Files\Windows NT\hypertrm.exe /t %1 exists, change it back to the following default value: rundll32.exe url.dll,TelnetProtocolHandler %l
* In Registry Editor, locate the following registry key: HKEY_CURRENT_USER\Software\Netscape\NetscapeNavigator\Viewers\telnet
* If the value C:\Program Files\Windows NT\hypertrm.exe /t %1 exists, delete this key. By default, this key does not exist. When you delete this key, you help prevent HyperTerminal from being used by Web browsers other than Internet Explorer as the default Telnet client.
Impact of Workaround: These changes will help prevent attacks by blocking HyperTerminal from being used to process Telnet URLs. This does not prevent attacks that occur by using HyperTerminal session files (.ht files).
* Remove HyperTerminal
Removing HyperTerminal will help prevent attacks from HyperTerminal session files (.ht files) and from Telnet URLs. To remove HyperTerminal, follow these steps:
* Click Start, click Run, type "%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection HypertrmUninstall 132 %SystemRoot%\inf\communic.inf" (without the quotation marks), and then click OK.
Impact of Workaround: After you remove the HyperTerminal application, any applications that depend on HyperTerminal may fail.
To reinstall HyperTerminal, follow these steps:
* Click Start, click Run, type "%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection Hypertrm 132 %SystemRoot%\inf\communic.inf" (without the quotation marks), and then click OK.
Note To reinstall HyperTerminal after it has been removed, you must have access to your original installation source media.
* On Windows NT 4.0 Server, on Windows 2000 Server, and on Windows Server 2003, remove HyperTerminal by using the Add/Remove Programs tool in Control Panel.
To manually remove HyperTerminal from a system, follow these steps. These steps apply only to Windows 2000 Server and Windows Server 2003 and later. For Windows NT 4.0 Server, follow the procedure that is included in the product documentation.
* Click Start, point to Settings, and then click Control Panel.
* Double-click Add/Remove Programs.
* On the left, click Add/Remove Windows Components.
* In the Windows Components Wizard, double-click Accessories and Utilities, and then double-click Communications
* Make sure that the check box for HyperTerminal is cleared.
* Follow the instructions to complete the Windows Components Wizard.
Impact of Workaround: After you remove the HyperTerminal application, any applications that depend on HyperTerminal may fail.
* Delete or rename the HyperTerminal program file
If HyperTerminal cannot be removed by using the methods that are documented in this section of the security bulletin, you may be able to help prevent attacks by deleting or renaming the physical file.
Delete or rename the C:\Program Files\Windows NT\hypertrm.exe file.
Impact of Workaround: After you remove the HyperTerminal application, any applications that depend on HyperTerminal may fail.
FAQ for HyperTerminal Vulnerability
What is the scope of the vulnerability ?
This is a remote code execution vulnerability. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges. However, user interaction is required to exploit this vulnerability.
What causes the vulnerability ?
An unchecked buffer in the HyperTerminal application.
What is HyperTerminal ?
HyperTerminal is an application that you can use to connect to other computers, to Telnet to sites, to bulletin board systems (BBSs), to online services, and to host computers, by using your modem, a null modem cable, or and Ethernet connection. For more information about HyperTerminal, visit this Microsoft Web site.
What might an attacker use the vulnerability to do ?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
How could an attacker exploit the vulnerability ?
There are several different ways that an attacker could attempt to exploit this vulnerability. However, user interaction is required to exploit this vulnerability in every case. Here are some examples:
* An attacker could exploit the vulnerability by constructing a malicious HyperTerminal session file (.ht) and then persuade the user to open the file
* If HyperTerminal has been registered as the default Telnet client, an attacker could host a malicious Web site that is designed to exploit this vulnerability through Internet Explorer and then persuade a user to view the Web site
* If HyperTerminal has been registered as the default Telnet client, an attacker could also create an e-mail message that has a specially-crafted Telnet URL. An attacker could attempt to exploit this vulnerability by persuading the user to view or to preview an e-mail message than contains a Telnet URL and then persuade the user to then click the Telnet URL
How do I know if HyperTerminal has been registered as my default Telnet client on Windows 2000 Server ?
HyperTerminal will automatically register itself as the default Telnet client the first time that the HyperTerminal application is launched. After HyperTerminal is registered as the default Telnet client, it will automatically start when you click a hyperlink to a Telnet URL in a Web browser or in an e-mail message. If you believe that these steps were performed, you should consider using the workarounds that are required when HyperTerminal has been registered as the default Telnet client that are listed in the Workarounds section of this security bulletin.
How do I know if HyperTerminal has been registered as my default Telnet client on Windows XP ?
HyperTerminal will prompt you to register it as the default Telnet client the first time that you start the HyperTerminal application. After HyperTerminal is registered as the default Telnet client, it will automatically start when you click a hyperlink to a Telnet URL in a Web browser or in an e-mail message. If you did not select to register HyperTerminal as the default Telnet client when you are prompted, the system would only be vulnerable if you opened a specially-crafted HyperTerminal session file. If you believe that these steps were performed, you should consider using the workarounds that are required when HyperTerminal has been registered as the default Telnet client that are listed in the Workarounds section of this security bulletin.
How do I know if HyperTerminal has been registered as my default Telnet client on Windows Server 2003 ?
By default, HyperTerminal is not installed. An administrator would have to manually install HyperTerminal for the system to be vulnerable to this issue. After installation, HyperTerminal will prompt you to register it as the default Telnet client the first time that you start the HyperTerminal application. After HyperTerminal is registered as the default Telnet client, it will automatically start when you click a hyperlink to a Telnet URL in a Web browser or in an e-mail message. If you believe that these steps were performed, you should consider using the workarounds that are required when HyperTerminal has been registered as the default Telnet client that are listed in the Workarounds section of this security bulletin.
HyperTerminal is also included with Windows NT 4.0 Server. Is that version vulnerable to this vulnerability ?
Yes. However, the HyperTerminal client that is included with Windows NT 4.0 Server does not include a TCP/IP connection method. Therefore, the Windows NT 4.0 Server HyperTerminal client cannot be registered as the default Telnet client, and would not automatically start in response to a supplied Telnet URL. However, Windows NT 4.0 is still vulnerable to this issue if you open a specially-crafted HyperTerminal session file.
Should I un-register the HyperTerminal client after it has been set as the default Telnet client ?
Yes, if you do not use Telnet URLs. If you un-register the HyperTerminal client as the default Telnet client, you help protect systems from malicious Telnet URLs. However, these systems are still vulnerable to this issue if you open a specially-crafted HyperTerminal session file. You can use the workarounds that are listed in the Workarounds section of this security bulletin to help un-register HyperTerminal as the default Telnet client.
Is the built-in Telnet client vulnerable ?
No. The default Telnet client is a command-line client (Telnet.exe). The command-line client is not affected by this vulnerability.
What is a HyperTerminal session file ?
A session file captures all the parameters that are associated with a specific HyperTerminal session. For example, the session file captures the communications parameters and the destination host. When you open a session file, you can automatically set all the HyperTerminal parameters to the parameters that are specified in the file.
What is wrong with the way that HyperTerminal uses session files ?
The method that HyperTerminal uses to validate the length of a value that can be saved in a session file.
Could the attacker force the session file to open automatically ?
No. Even after an attacker creates the file and delivers it to the user, the attacker still must persuade the user to manually open it. The attacker cannot not force the file to open without the user's interaction.
What systems are primarily at risk from the vulnerability ?
All affected operating systems are at risk from this vulnerability. Windows Server 2003 is at a reduced risk because HyperTerminal is not installed by default.
Could the vulnerability be exploited over the Internet ?
Yes. An attacker could attempt to exploit this vulnerability over the Internet. Firewall best practices and standard default firewall configurations can help protect against attacks that occur by using Telnet URLs that originate from the Internet. Microsoft has provided information about how you can help protect your PC. End users can visit the Protect Your PC Web site. IT Professionals can visit the Security Guidance Center Web site.
What does the update do ?
The update removes the vulnerability by modifying the way that HyperTerminal validates the length of a message before it passes the message to the allocated buffer.
When this security bulletin was issued, had this vulnerability been publicly disclosed ?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited ?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
|
|
|
|
|
