Microsoft Security Bulletin MS01-036

Technical description:

This vulnerability involves an LDAP function that is only available if the LDAP server has been configured to support LDAP over SSL sessions, and whose purpose is to allow users to change the data attributes of directory principals. By design, the function should check the authorizations of the user before completing the request; however, it contains an error that manifests itself only when the directory principal is a domain user and the data attribute is the domain password -- when this is the case, the function fails to check the permissions of the requester, with the result that it could be possible for a user to change any other user's domain login password.

An attacker could change another user's password for either of two purposes: to cause a denial of service by preventing the other user from logging on, or in order to log into the user's account and gain any privileges the user had. Clearly, the most serious case would be one in which the attacker changed a domain administrator's password and logged into the administrator's account.

By design, the function affected can be called by any user who can connect to the LDAP server, including users who connect via anonymous sessions. As a result, any user who could establish a connection with an affected server could exploit the vulnerability.

Mitigating factors: 

Vulnerability identifier: CAN-2001-0502 

Tested Versions:

Microsoft tested Windows 2000 and Windows NT® 4.0 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

What's the scope of the vulnerability?
This vulnerability could enable an attacker to change the password of a user (including a domain administrator) in a Windows 2000 domain. This could be done for either of two purposes: to prevent the user from logging onto the domain, or to allow the attacker to log into the other user's account.
This vulnerability is subject to several significant constraints:

What causes the vulnerability?
The vulnerability results because of a flaw in a function that is exposed via LDAP over SSL in Windows 2000. The flaw could enable an attacker to modify the password attribute of a user object.

What is LDAP?
LDAP (Lightweight Directory Access Protocol) is an industry-standard protocol that enables authorized users to interrogate or modify the data in a metadirectory. For instance, in Windows 2000, LDAP is one protocol used to access data in the Active Directory.

What do you mean by LDAP over SSL?
In Windows 2000, LDAP requests can be levied via either unsecured sessions or secured SSL sessions. Certain functions are only available over secured sessions. The function involved in this vulnerability is such a function; as a result, the vulnerability could only be exploited if LDAP over SSL was available on the domain's LDAP server.

Is LDAP over SSL available by default?
No. Before an LDAP server can participate in an SSL session, the administrator must have obtained a digital certificate and installed it on the server. Unless this has been done, LDAP over SSL is not available, and the vulnerability could not be exploited.
This means that default installations of Windows 2000 are not at risk from this vulnerability. We do, however, recommend that customers who believe that they might choose to make LDAP over SSL services available in the future apply the patch as a safeguard.

What's wrong with the function that contains the vulnerability?
The function is designed to allow data stored in the directory to be modified. However, it should do so subject to the access controls associated with each particular piece of data. The vulnerability results because when modifying one data attribute - the password attribute associated with users - it doesn't correctly check the permissions, and simply processes the request. This could make it possible for an attacker to misuse the function and change another user's domain password.

What would the vulnerability enable an attacker to do?
Gaining the ability to change other users' domain passwords would let an attacker do either of two things. She could change them to some unknown value, simply to prevent the owner of the account from logging into it. On the other hand, she could change the password and then log into the account in order to gain the privileges associated with that account.

Could the attacker change a domain administrator's password?
Yes. Clearly, this is the most serious risk posed by the vulnerability. If the attacker changed a domain administrator's password, she could log into the administrator's account and gain administrative control of the domain.

What permissions would the attacker need in order to exploit the vulnerability?
The function containing the vulnerability can be called by any user, even ones that aren't domain members. As a result, virtually any user who was on the same side of the firewall as an affected server could exploit the vulnerability. However, users outside of the firewall would be unable to exploit the vulnerability, as long as the firewall blocked tcp port 636.

Could the vulnerability be used to change the passwords of local accounts on individual computers?
No. Local user accounts on individual computers are not stored in a directory, and can't be changed via LDAP. Only domain account passwords could be changed via this vulnerability.

I'm running Windows NT 4.0. Am I affected by the vulnerability?
No. Only Windows 2000 systems are affected and even then only if offering LDAP services over SSL.

I'm running Windows 2000. What machines should I apply the patch to?
The patch only needs to be installed Windows 2000 servers, and even then only on servers provide LDAP over SSL.

What does the patch do?
The patch eliminates the vulnerability by ensuring that the affected function only allows users to change data attributes that they are authorized to change.

Download locations for this patch

Installation platforms:

This patch can be installed on systems running This patch can be installed on systems running Windows 2000 Service Pack 1 or Service Pack 2.

Inclusion in future service packs:

The fix for this issue will be included in Windows 2000 Service Pack 3.

Reboot needed: Yes

Superseded patches:

This patch supersedes the one provided in Microsoft Security Bulletin MS01-024.

Verifying patch installation: 

•	To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q299687.
•	To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q299687\Filelist.

Caveats:

None

Localization:

Localized versions of this patch are available from the download locations listed in the section titled "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

•	Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
•	Patches for consumer platforms are available from the WindowsUpdate web site

Top of section