What's the scope of the vulnerability?
This is a buffer overflow vulnerability that affects two Microsoft products: the Telnet Service in Windows 2000 and the Telnet Daemon (telnetd) in Microsoft Interix 2.2. By sending a specially malformed request to the telnet server, an attacker could produce either of two results. In the simpler case, this could cause the telnet server to fail. In the more complex case, this could allow an attacker to execute code of their choice on the system.
Best practices recommend very strongly that Telnet should only be used on a fully trusted network. Telnet should not be used across the Internet and Telnet connections should be blocked at the corporate firewall. Neither Windows 2000 nor Interix are affected by by this vulnerability under default conditions.
What causes the vulnerability?
The vulnerability results because of an unchecked buffer in a part of code that handles the Telnet protocol options. By submitting a specially specific malformed packet, a malicious user could overrun the buffer.
What's Telnet?
Telnet is an industry standard protocol that allows a user to establish a remote terminal session on a telnet server. Because this is a terminal session, there is only a command-line interface. Telnet is mainly used for simple remote administration via the command prompt.
Several Microsoft products contain implementations of the Telnet protocol. However, the vulnerability at issue here affects only two of these implementations - the ones in Microsoft Interix and Windows 2000.
What's Microsoft Interix?
Microsoft Interix is a product that allows customers to run UNIX application on a Windows system. Providing this capability expands support for UNIX applications, daemons, and scripts by provides an enhanced UNIX environmental subsystem beyond the standard POSIX subsystem in Windows 2000. It allows customers to run UNIX applications, daemons and scripts on Windows NT and Windows 2000.
What's a daemon?
In UNIX, a networking service like Telnet is called a daemon. Often, the actual program for the service is named with a "-d" at the end, to indicate that it is a daemon.
Because the Telnet server in Interix is actually a UNIX program rather than a Win-32 program, it's referred to as a daemon for accuracy. In this case, the program in question is /bin/telnetd and /usr/sbin/in.telnetd.
What could an attacker do with this vulnerability?
An attacker could attempt to overrun the buffer with a large quantity of data. If an attacker supplied a large enough quantity of random data, she could cause the Telnet server to fail. If the attacker supplied carefully crafted data, she could cause code of her choosing to run in the Telnet server's process space.
If an attacker successfully loaded malicious code, what security context would it execute in?
The code would run in the same context as the Telnet Service. The specific context depends on the product.
For the Windows 2000 Telnet Service , the code would execute within the SYSTEM context. This would allow the attacker to execute commands with the same privileges as the operating system. This means the code could take any action, including reformatting the hard drive, spawning a remote command shell with SYSTEM privileges, installing programs, or shutting down the system.
For the Telnet Daemon in Interix, the context in which the code executes depends on choices made by the administrator when configuring telnetd. The administrator specifics the context in which telnetd operates when starting telnetd or configuring it to start automatically. Any code loaded by a successful exploit of this vulnerability would thus execute in the context in which the administrator decided to run telnetd. For example, if telnetd were configured to run in the SYSTEM context, then malicious code would execute in that context and be able to act as part of the operating system. Alternately, if the administrator configured telnetd to run in the context of a specially limited account, malicious code would execute only within that context.
How could an attacker mount an attack by using this vulnerability?
An attacker could attempt to mount an attack against this vulnerability by sending malformed packets to the Telnet Service. Anyone who could connect to the Telnet Service could potentially be able to attempt to exploit this vulnerability.
Could an attacker exploit this vulnerability across the Internet?
If a Telnet server were accessible across the Internet, an attacker could use this vulnerability to attempt an attack on the server. However, most corporate firewalls block Telnet access at the firewall as a best practice. Also, most companies prohibit Telnet in their DMZ as a best practice. These steps would eliminate exposure to this vulnerability on the Internet.
What does the patch do?
The patch eliminates the vulnerability by instituting proper checking of data input.
Who should apply the patch?
Any one who is running the Windows 2000 Telnet Service or the Telnet Daemon (telnetd) in Interix.
I'm using the Telnet Server in Services for UNIX 2.0, do I need to apply the patch?
No, the Telnet Server in Services for UNIX 2.0 does not contain this flaw.
I have the Telnet Service for Windows 2000 installed, but not running, should I apply the patch?
If you have Telnet installed but are not using the service, you should first consider removing the service as a best practice. If you are not going to remove the service, you should apply the patch.
I'm running Windows 2000 Professional, am I vulnerable?
The Telnet Service for Windows 2000 is installed, but not running by default on Windows 2000 Professional. Customers running Windows 2000 Professional should apply the patch to protect themselves if the service is enabled.
