-----Original Message----- From: UNIRAS (UK Govt CERT) [mailto:[EMAIL PROTECTED]] Sent: 16 August 2002 10:50 To: Undisclosed Recipients Subject: UNIRAS Brief - 251/02 - Microsoft - Windows 2000 Flaw in Network Connection Manager Could Enable Privilege Elevation (Q326886) (MS02-042) -----BEGIN PGP SIGNED MESSAGE----- - ------------------------------------------------------------------------------ ---- UNIRAS (UK Govt CERT) Briefing Notice - 251/02 dated 16.082 Time: 10:45 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre) - ------------------------------------------------------------------------------ ---- UNIRAS material is also available from its website at www.uniras.gov.uk and Information about NISCC is available from www.niscc.gov.uk - ------------------------------------------------------------------------------ ---- Title ===== Microsoft Security Bulletin (MS02-042) Microsoft Windows 2000 Flaw in Network Connection Manager Could Enable Privilege Elevation (Q326886) Detail ====== - -----BEGIN PGP SIGNED MESSAGE----- - - - - - ---------------------------------------------------------------------- Title: Flaw in Network Connection Manager Could Enable Privilege Elevation (Q326886) Date: 14 August 2002 Software: Microsoft Windows 2000 Impact: Privilege elevation Max Risk: Critical Bulletin: MS02-042 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS02-042.asp . - - - - - ---------------------------------------------------------------------- Issue: ====== The Network Connection Manager (NCM) provides a controlling mechanism for all network connections managed by a host system. Among the functions of the NCM is to call a handler routine whenever a network connection has been established. By design, this handler routine should run in the security context of the user. However, a flaw could make it possible for an unprivileged user to cause the handler routine to run in the security context of LocalSystem, though a very complex process. An attacker who exploited this flaw could specify code of his or her choice as the handler, then establish a network connection in order to cause that code to be invoked by the NCM. The code would then run with full system privileges. Mitigating Factors: ==================== The vulnerability could only be exploited by an attacker who had the appropriate credentials to log onto an affected system interactively. Best practices suggests that unprivileged users not be allowed to interactively log onto business-critical servers. If this recommendation has been followed, machines such as domain controllers, ERP servers, print and file servers, database servers, and others would not be at risk from this vulnerability. Risk Rating: ============ - Internet systems: Low - Intranet systems: Critical - Client systems: Critical Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms02-042.asp for information on obtaining this patch. - - - - - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. - -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBPVv1X40ZSRQxA/UrAQFxYQf/ftIxVTaOdjgCe8D7CEajwWHKJ2PNS1M3 l0aWVk2hyXUvnHqSLir3dIgVBjztIx7wUnBiEzg/FTc7WPb6mdU3GNAPYWQu58kW H3zq+V3M9RPrPe97sgHfxfF1ubH0gzatPuGyGKIAkoq5iY2o5LPIMVMtO7Baw+gF vsEnatY5oY1s2QVBYCdBYjRd2puqMQywh/h0iWNFq5kBTp4pbpfnMSbBQoQGTPGX rUviam/WnBhIBL7JEQqv2oCBvO+zzv5ix32IyH4F1kx9DNlxYmhdURWleL+GAotv /G/mV+koIJIIUGjjJWMOUO7TKkmZpNYte2iaA3wRTdbuAQ1fMdeGdw== =88Bk - -----END PGP SIGNATURE----- Reprinted with permission of Microsoft Corporation - ------------------------------------------------------------------------------ ---- For additional information or assistance, please contact the HELP Desk by telephone or Not Protectively Marked information may be sent via EMail to: [EMAIL PROTECTED] Tel: 020 7821 1330 Ext 4511 Fax: 020 7821 1686 - ------------------------------------------------------------------------------ ---- UNIRAS wishes to acknowledge the contributions of Microsoft Corporation for the information contained in this Briefing. - ------------------------------------------------------------------------------ ---- This Briefing contains the information released by the original author. Some of the information may have changed since it was released. If the vulnerability affects you, it may be prudent to retrieve the advisory from the canonical site to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. Neither UNIRAS or NISCC shall also accept responsibility for any errors or omissions contained within this briefing notice. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice. UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large. - ------------------------------------------------------------------------------ ---- <End of UNIRAS Briefing> -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQCVAwUBPVzKH4pao72zK539AQFkjwQAjJOPYcv4nBmzQURxDfNN+IkbcCtwWOBh TaEiW/aR9EmEIFib0KoPuoeFReUp2O+oTsuhW4oW6VhkEhLFu9SHjPvY1QOAuwxc TcfSFAvrPuEqImQ2RdxgsckZslvLW1UXVii8ymy/o/wcpY4HRGhM+r4qcKhdRBh7 A1aKEjMBcYQ= =u+IQ -----END PGP SIGNATURE----- IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk
