Microsoft Security Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-026)
Originally Posted: July 01, 1999
What's this bulletin about?
Microsoft Security Bulletin MS99-026 announces the availability of a patch that eliminates a vulnerability in the Dialer program, an accessory that ships as part of Microsoft® Windows NT® 4.0 systems. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a privilege elevation vulnerability. It would chiefly affect workstations that have dial-out capability on a voice/data modem and are shared between users with different levels of privilege, and it could allow an attacker to gain additional privileges on the machine that he or she attacked. As discussed below, the scenarios under which this vulnerability could be exploited are relatively complicated, and this would have the effect of making it more difficult to mount a successful attack against an affected system.
What's the Dialer program?
Dialer.exe is a program that ships as part of Windows NT. It allows a user to dial an outgoing voice call via his computer, if the modem supports both voice and data. The user enters a number to dial, or selects a number from the speed-dialer list, and then picks up on a handset when the call is answered.
What's the vulnerability?
Dialer has an unchecked buffer in a part of the program that processes initialization information. If specially-malformed data were placed in the initialization file, it would overwrite the buffer and could be used to execute arbitrary code via a classic buffer overrun technique. The malformed data could not occur by accident; the initialization file would need to be edited and the malformed data would need to be deliberately added to file.
How would an attacker exploit this vulnerability?
It would not be a simple matter to exploit this vulnerability, chiefly because Dialer runs in the user's own security context, rather than in a system context. There is no gain in running arbitrary code under one's own security context. Instead, an attacker would need to identify a more-privileged user, such as an administrator, insert the malformed data into the more-privileged user's Dialer initialization file, then persuade them to run Dialer. If an attacker could do this, his or her code would run in the more-privileged user's security context, and this would constitute a privilege elevation.
The attacker would need several things in order to exploit this vulnerability:
| • | Access to a machine that's also used by an administrator or another user with more privileges than the attacker has |
| • | The ability to modify the other user's Dialer initialization file |
| • | Some means of getting the other user to run Dialer |
How frequently do administrators share machines with normal-level users?
Normal security practices recommend against administrators sharing machines with other users, precisely because administrative accounts are such a tempting target for attackers. It's more common for less-privileged users to share machines, but this would also reduce the value to the attacker of compromising the other user.
Who can modify Dialer initialization files?
In a Windows NT Server or Workstation installation, Dialer.ini is in the %systemroot% folder, which is world-writeable by default. However, as discussed in "Securing Windows NT Installation", it's recommended that the permissions on this folder be tightened to:
Adminstrators: | Full Control |
Creator Owner: | Full Control |
System: | Full Control |
Everyone: | Read |
If this recommendation has been followed, an attacker would be unable to change another user's Dialer initialization file, and would be unable to exploit the vulnerability.
In a Windows NT Terminal Server installation, the Dialer initialization file is in the %systemroot%\Profiles\%username%\Windows folder, which is not world-writeable by default. As a result, unless the permissions have been loosened, an attacker would not be able to modify another user's Dialer initialization file.
How would the attacker get the other user to run Dialer?
This is a problem of social engineering, and it's impossible to say how the attacker would do this.
What machines are at risk from this vulnerability?
The vulnerability is present in all versions of Windows NT 4.0, but the attack scenario would result in certain machines being at less risk than others. The following are generalizations; you should carefully consider your own deployment to determine whether you are at risk.
| • | Windows NT Servers would not generally be at risk from this vulnerability. First, servers do not typically have data/voice modems installed, so there would be little reason to use the Dialer program. Second, normal users are not typically given the ability to log onto servers, so an attacker would not typically have access to the Dialer initialization file. |
| • | Windows NT Terminal Servers would not generally be at risk from this vulnerability, because, by default, the folder that contains the initialization file does not allow normal users to write to it. Even if this were not the case, Terminal Servers typically do not have data/voice modems installed. |
| • | By process of elimination, Windows NT Workstations with dial-out capability would be the most likely machines affected by this vulnerability. Even then, they would only be affected if shared between users with different levels of privilege. |
Could an attacker take over a network using this vulnerability?
This vulnerability would only allow a user to elevate his or her privileges on the particular machine that they successfully attacked. The exact damage that could be done would depend on the specific machine they compromised. For example, compromising a workstation would only allow the attacker to elevate his or her privileges on the workstation, and would not allow them to gain privileges on the network at large. At the other end of the spectrum, compromising a domain controller would allow the attacker to gain elevated domain privileges. The high value of domain controllers and other important servers is one reason why they typically do not allow normal users to access files on them, and why they would be less likely to have equipment like data/voice modems installed.
Usually, unchecked buffers allow denial of service attacks as well as privilege elevation attacks. Is that the case here?
It's usually possible to mount a denial of service attack using an unchecked buffer, by simply overrunning the buffer with random data. However, because Dialer.exe runs as an application, doing so would only cause Dialer to crash, without any other disruption to the Windows NT machine.
What should customers do?
Microsoft recommends that customers assess the risk that this vulnerability poses to their safe computing and determine whether or not to apply the patch. The download location for the patch is provided in the security bulletin.
Customers may also want to consider simply removing the Dialer.exe program from any systems that are judged to be at risk. Also, customers should ensure that the permissions for security-relevant folders are restricted as discussed in "Securing Windows NT Installation".
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail. |
| • | Microsoft will provide technical details about the vulnerability to the International Computer Security Association's Intrusion Detection Consortium, to ensure that security vendors can incorporate this information into their products. |
Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security.
Securing Windows NT Installation provides security best practices for Windows NT. ("Securing Windows NT Installation" can be found in the Security section of TechNet.
How do I get technical support on this issue?
Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support.
For additional security-related information about Microsoft products, please visit http://www.microsoft.com/technet/security
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
