Microsoft Security Bulletin MS02-029

Technical description:

On June 12, 2002, Microsoft released the original version of this bulletin. On July 2, 2002, the bulletin was updated to reflect the availability of a revised patch. Although the original patch completely eliminated the vulnerability, it had the side effect of preventing non-administrative users from making VPN connections in some cases. The revised patch correctly handles VPN connections. The revised patch is immediately available from the Download Center and will be soon made available via WindowsUpdate.

The Remote Access Service (RAS) provides dial-up connections between computers and networks over phone lines. RAS is delivered as a native system service in Windows NT 4.0, Windows 2000 and Windows XP, and also is included in a separately downloadable Routing and Remote Access Server (RRAS) for Windows NT 4.0. All of these implementations include a RAS phonebook, which is used to store information about telephone numbers, security, and network settings used to dial-up remote systems.

A flaw exists in the RAS phonebook implementation: a phonebook value is not properly checked, and is susceptible to a buffer overrun. The overrun could be exploited for either of two purposes: causing a system failure, or running code on the system with LocalSystem privileges. If an attacker were able to log onto an affected server and modify a phonebook entry using specially malformed data, then made a connection using the modified phonebook entry, the specially malformed data could be run as code by the system.

Mitigating factors: 

Severity Rating: 

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. The attacker must have credentials to logon to the computer where the RAS phonebook is held.

Vulnerability identifier: CAN-2002-0366 

Tested Versions:

Microsoft tested Windows NT4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Why was this bulletin updated?
On July 2, 2002, we updated this bulletin to advise customers of the availability of a revised patch. The original patch completely eliminate the vulnerability, but it also introduced a bug that could have the effect of requiring administrative privileges in order to establish a Virtual Private Network (VPN) connection.
Microsoft has updated the patch to eliminate the bug. Customers who applied the original patch should consider applying the new one if the bug described above affects them. Customers who did not apply the original patch should apply the new one. The revised patch is immediately available from the Download Center and will be soon made available via WindowsUpdate.

What's the scope of the vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully exploited this vulnerability could gain complete control over the machine, thereby gaining the ability to take any desired action on the machine, such as adding, deleting, or modifying data on the system, creating or deleting user accounts, and adding accounts to the local administrators group.
The vulnerability could only be exploited by an attacker who had credentials to log onto the computer where the RAS phonebook is held. Best practices suggest that unprivileged users not be allowed to interactively log onto business-critical servers; if this guidance has been followed, such servers would not be at risk from this vulnerability.

What causes the vulnerability?
The vulnerability results because of an unchecked buffer in the Remote Access Service Phonebook. By creating a specially malformed phonebook entry, it could be possible to conduct a buffer overrun attack against an affected system.

What is the Remote Access Service?
The Remote Access Service lets users connect to a remote computer over phone lines, so they can work as if their system were physically connected to the remote network. These services enable remote users to do activities such as send and receive e-mail, fax documents, retrieve files, and print documents on an office printer.
The Remote Access Service is a native service in Windows NT 4.0, Windows 2000 and XP. In addition, a separately downloadable Routing and Remote Access Service (RRAS, also known as Steelhead) is available for Windows NT 4.0 and Windows NT 4.0 Terminal Server Edition, and it also includes a RAS implementation.

What is the Remote Access Service Phonebook?
The RAS phonebook is used to keep information that describes sites that can be connected to using dial-up networking via RAS. A phonebook entry contains information about the dial-up phone number, security, and network settings.
For example, if we were to create a phonebook entry for "Office computer", we might say that the phone number for the remote computer is "555-1837", and that the PPP protocol should be used to dial the computer. We might also specify the TCP/IP address for our computer and that the default gateway should be used.

What's wrong with the RAS phonebook?
There is an unchecked buffer in the code that reads the RAS phonebook entries.

What would this vulnerability enable an attacker to do?
The attacker could use this vulnerability for either of two purposes:

How might an attacker exploit the vulnerability?
The attacker could logon to the computer that holds the RAS phonebook and then modify an entry in the phonebook with specially malformed data. The attacker could then logout, and logon using the modified dial-up entry. The RAS system would read the modified dial-up entry from the phonebook and the malformed data would be used.
Alternately, the attacker could modify and existing phonebook entry and then wait for another user to attempt to connect to a remote computer using the modified dial-up entry.

Who could exploit the vulnerability?
Anyone who could log onto the system interactively. Best practices suggest that unprivileged users not be allowed to interactively log onto business-critical servers. If best practices are followed, then it is workstations and terminal servers that would chiefly be at risk.

I use Windows NT 4.0, and I see that there are two patches for it. Which should I apply?
If you have installed RRAS on Windows NT 4.0 you should apply the RRAS version of this fix. If you haven't applied RRAS on Windows NT 4.0 then you should apply the standard RAS fix. The same is true for RRAS on Windows NT 4.0 Terminal Server Edition.

I don't know whether RRAS is installed on my system. How can I tell?
To see if RRAS is installed on Windows NT 4.0, go to Network Neighborhood and select the Services tab from Properties. If the "Routing and Remote Access Service" is listed then RRAS has been installed.

What does the patch do?
The patch eliminates the vulnerability by instituting proper input checking on the RAS phonebook entries.

Download locations for this patch

Installation platforms:

•	The Windows NT 4.0 patch can be installed on systems running Service Pack 6a.
•	The Windows Routing and Remote Access Server patch can be installed on systems running Windows NT 4.0 Service Pack 6a (English only).
•	The Windows NT 4.0 Terminal Server Edition patch can be installed on systems running Windows NT 4.0 Terminal Server Edition Service Pack 6.
•	The Windows NT 4.0 Terminal Server Edition, Routing and Remote Access Server patch can be installed on systems running Windows NT 4.0 Terminal Server Edition Service Pack 6.
•	The Windows 2000 patch can be installed on systems running Windows 2000 Service Pack 1 or Windows 2000 Service Pack 2.
•	The patch for Windows XP can be installed on systems running Windows XP Gold.

Inclusion in future service packs:

•	The fix for this issue will be included in Windows 2000 Service Pack 3.
•	The fix for this issue will be included in Windows XP Service Pack 1.

Reboot needed: Yes

Superseded patches: None.

Verifying patch installation:

Windows NT 4.0 Service Pack 6a:

•	To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q318138
•	To verify the individual files, consult the file manifest in Knowledge Base article Q318138.

Windows NT 4.0 Terminal Server Edition Service Pack 6:

•	To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q318138
•	To verify the individual files, consult the file manifest in Knowledge Base article Q318138.

Windows 2000 Service Pack 2:

•	To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q318138
•	To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q318138\Filelist

Windows XP:

•	To verify that the patch has been installed, confirm that the following registry key has been created on the machine: HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q318138
•	To verify the individual files, use the date/time and version information provided in the following registry key: HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q318138\Filelist

Caveats:

None

Localization:

Localized versions of this patch are currently available at the locations listed above in "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

•	Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
•	Patches for consumer platforms are available from the WindowsUpdate web site

Top of section