|
|
|
|
| |
GINA is the Graphical Identification and Authorization subsystem of Windows NT. It's actually an interface for the validation of logon credentials. The default implementation that is shipped with Windows NT 4.0 is MSGINA.DLL.
The MSGINA.DLL in Microsoft Windows 4.0 is responsible of performing the authentication policy of the interactive logon model, and is expected to perform all identification and authentication user interactions.
Microsoft Windows NT 4.0 Terminal Server ships with a remotely and locally exploitable buffer overflow in the Dynamically Linked Library (RegAPI.DLL) that MSGINA.DLL uses.
It could be exploited by entering a long string in the username field. This buffer overflow will result in a system crash (if triggered locally) or a connection drop (if triggered remotely).
By providing a specially crafted username an attacker has the ability to obtain access to the Terminal Server and execute arbitrary commands as user SYSTEM.
Microsoft has released a patch that eliminates this security vulnerability. |
| |
Credit:
The information has been provided by Bruno Acselrad and Microsoft Product Security.
|
| |
Vulnerable systems:
Microsoft Windows NT 4.0 Terminal Server Edition SP6a and below
Technical Description
Windows NT 4.0 Terminal Server has a remote and locally exploitable buffer overflow in the GINA subsystem.
Entering a long username in the username edit box will make the system crash (if done locally) or drop the connection (if done remotely).
The problem occurs when MSGINA.DLL calls the ReUserConfigQuery() function in RegAPI.DLL.
Within that function wscpy() is first called and then wscat() appends to a local variable of fixed length a fixed key and the username string.
This local variable can be overflowed resulting in the execution of arbitrary commands on the vulnerable host.
Patch Availability:
- Microsoft Windows NT 4.0 Terminal Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25565
What's the scope of the vulnerability?
This is a buffer overflow vulnerability. A malicious user could exploit the vulnerability to execute code of his choice on the Terminal Server. This would enable him to add, change, or delete data, run code already on the server, or upload new code to the server and run it.
Failing successful execution of the buffer overflow, a malicious user with local access to the Terminal Server could leverage this vulnerability to cause the Terminal Server to fail. Current connections to the Terminal Server, and work in progress on the Terminal Server would be lost of the Terminal Server were to fail.
The vulnerability affects only NT 4.0 Terminal Servers. There is no corresponding vulnerability in Windows NT Workstation, or in non-Terminal Server editions of Windows NT 4.0 Server. This vulnerability is not present in Terminal Server for Windows 2000.
What causes the vulnerability?
There is an unchecked buffer in the section of the code in Windows NT 4.0 Terminal Server that handles the user name when the user logs onto the server. This unchecked buffer could be exploited via a classic buffer overrun attack to run arbitrary code on the machine.
How can the buffer overrun be used to exploit my system?
A buffer overrun occurs when a malicious user exploits an unchecked buffer in a program and overwrites the program code with their own data. If the program code is overwritten with new executable code, the effect is to change the program's operation as dictated by the attacker. If overwritten with other data, the likely effect is to cause the program to fail.
Where is the unchecked buffer in this case?
The unchecked buffer is contained in the username field of the login prompt.
Would it be necessary for the malicious user to be able to log onto the network in order to exploit this vulnerability?
No. The malicious user would not need to successfully login to the Terminal Server to execute code of his choice.
What could the malicious user's code do?
The malicious user's code could take any action on the server that a logged on administrator could perform. This includes adding, deleting, and modifying files, executing code on the server, or uploading code of the malicious user's choice to the server.
You said that, in general, buffer overruns can be used either to cause a crash, or run code. But you haven't discussed the former case. Is it possible to cause a terminal server to crash via this vulnerability?
Yes. However, there are some important considerations that make this scenario largely irrelevant. If the malicious user overran the buffer with random data, the effect would depend on how he was accessing the server. If he exploited the vulnerability via a remote session, the effect would be to disconnect the session - so he couldn't cause any harm to the system. If he exploited the vulnerability via a local login, it would cause the server to fail. But if he could log on locally, it's likely that the malicious user could have just as easily turned off the power button.
Could someone attack my network from the Internet via this vulnerability?
A properly configured firewall - one that prevents an outside user from delivering packets to a specific internal network address (tcp 3389 in this instance) - would prevent this vulnerability from being exploited by an Internet user.
Does this vulnerability affect Windows 2000 terminal servers?
No. This vulnerability is not present in Windows 2000 Terminal Server.
Does this vulnerability affect any Windows NT 4.0 system other than Terminal Server Edition?
No. This vulnerability does not affect Windows NT 4.0 systems that are not running Terminal Server.
What should customers do?
Microsoft recommends that customers assess the risk that this vulnerability poses to their safe computing and determine whether or not to apply the patch. The download location for the patch is provided in the security bulletin.
Customers may also wish to consider other security best practices such as:
- Deploying a high-quality intrusion detection software package that will detect and stop attacks that exploit known security vulnerabilities.
- Deploying a firewall and filtering unnecessary traffic. For example, system administrators may wish to filter TCP port 3389, and only allow traffic on that port from IP addresses that are known to have a legitimate need to set up Terminal Server sessions.
Who should use the patch?
Microsoft recommends that customers running Windows NT 4.0 Terminal Server consider installing the patch.
What does the patch do?
The patch eliminates the vulnerability by properly handling the login credentials presented during Terminal Server login.
How do I use the patch?
Knowledge Base article Q277910 contains detailed instructions for applying the patch to your site.
How can I tell if I installed the patch correctly?
The Knowledge Base article Q277910 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
|
|
|
|
|
