Microsoft Telnet Server

New (3.3.2)

Impact

A user with an account on the system could gain elevated privileges. Furthermore, any remote user could cause the telnet server to stop responding, or gain information that could be used in an attempt to find Guest accounts.

Note: The red stoplight on this page indicates the highest possible severity level for this category of vulnerabilities. To determine the severity level in this instance, refer to the colored dot beside the link to this tutorial on the previous page.

Background

Microsoft Windows 2000 comes with a telnet service. Similar to the telnet service on a Unix system, the Microsoft telnet service prompts a user to provide a login name and password. Following successful authentication, the server displays a shell prompt, allowing the user to run commands on the server.

When a telnet session is initiated, the server creates a named pipe, which allows bi-directional communication between two processes. When the named pipe is created, any code associated with the pipe is executed.

The Problems


Predictable Named Pipes

The name of the pipe created by a telnet session is predictable. Therefore, an attacker with the ability to load and run code on the server could associate arbitrary code with the predicted named pipe. The next time a telnet session is established, the server would execute the code when the named pipe is created, thus executing the attacker's commands with Local System privileges.


Denial-of-Service Vulnerabilities

Four unrelated denial-of-service vulnerabilities in Microsoft telnet server could allow a remote attacker to crash the telnet service, prevent legitimate users from accessing the telnet service, or terminate other users' telnet sessions.


Guest account disclosure

By preceding a login name with a specially crafted string of characters, an attacker could cause the telnet server to search all trusted domains for that login name. This vulnerability doesn't allow unauthorized access directly, but does make it easier for an attacker to find any enabled Guest accounts which may be present anywhere within the server's trusted domains.

Resolution

Apply the patch referenced in Microsoft Security Bulletin 01-031.

Where can I read more about this?

For more information, see Microsoft Security Bulletin 01-031.