7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
32.2%
The Microsoft Remote Access Service API contains a vulnerability that allows local attackers to execute arbitrary code with system privileges.
The Microsoft Remote Access Service (RAS) Application Programming Interface (API) allows Windows programs to make dial-up connections to remote servers. There is a buffer overflow in the RAS API that allows an attacker to execute arbitrary code with LocalSystem privileges. To exploit this vulnerability, the attacker must log into an account on the affected system and create a RAS phonebook entry. When any program attempts to use the RAS API to parse the malicious phonebook entry, the entry will cause a buffer overflow and allow the attacker to execute arbitrary code.
Once the malicious phonebook entry has been created, the attacker may exploit the vulnerability by initiating a remote connection. However, the attacker may also choose to delay exploitation and allow a different, unsuspecting user to exploit the vulnerability on the attacker’s behalf. Since any attempt by the RAS API to parse the phonebook entry may trigger this vulnerability, the victim user need not even attempt to make a connection. The victim might trigger the vulnerability by simply viewing the properties of the crafted phonebook entry.
According to Microsoft Security Bulletin MS02-029, the following software is affected by this vulnerability:
* Microsoft Windows NT 4.0
* Microsoft Windows NT 4.0 Terminal Server Edition
* Microsoft Windows 2000
* Microsoft Windows XP
* Microsoft Routing and Remote Access Server, which can be installed on Windows NT 4.0 Service Pack 6 or NT 4.0 Terminal Server Edition Service Pack 6.
This vulnerability is similar to VU#13121, which was first reported on May 19, 1999. For more details, please see
Attackers who are able to create malicious RAS phonebook entries can execute arbitrary code with LocalSystem privileges. In some cases, failed attempts to exploit this vulnerability will cause the affected host to crash.
Apply a patch from your vendor
Microsoft has released Security Bulletin MS02-029 to address this issue. For more detailed information and upgrade instructions, please see
http://www.microsoft.com/technet/security/bulletin/MS02-029.asp
Prevent users from accessing the Remote Access Service
For systems that do not require RAS, it may be possible to prevent exploitation of this vulnerability by uninstalling or disabling the Remote Access Service.
Prevent users from creating or modifying RAS phonebook entries
Attackers must be able to create or modify RAS phonebook entries to exploit this vulnerability. Therefore, it may be possible to utilize access control measures such as NTFS file permissions to prevent users from exploiting this vulnerability.
855811
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: May 31, 2002 Updated: June 13, 2002
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Microsoft has released Security Bulletin MS02-029 to address this issue. For more detailed information and upgrade instructions, please see
http://www.microsoft.com/technet/security/bulletin/MS02-029.asp
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23855811 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
This vulnerability was discovered by Next Generation Security Software Ltd.
This document was written by Jeffrey P. Lanza and is based on information provided by Microsoft and Next Generation Security Software Ltd.
CVE IDs: | CVE-2002-0366 |
---|---|
Severity Metric: | 16.88 Date Public: |