REVISION: @stake Advisory Notification: NetDDE Message Vulnerability (A020501-1)

2001-02-09T00:00:00
ID SECURITYVULNS:DOC:1263
Type securityvulns
Reporter Securityvulns
Modified 2001-02-09T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

 * Please note revision section below *


                       @stake Inc.
                     www.atstake.com

                     Security Advisory

Advisory Name: NetDDE Message Vulnerability Release Date: 02/05/2001 [Updated on 2/08/2001] Application: Network DDE (system component) Platform: Windows 2000 (up to and including Service Pack 1) [Affects Professional, Server, Advanced Server, Terminal Services and Citrix Metaframe configurations] Severity: Any local user can obtain SYSTEM privileges Author: DilDog (dildog@atstake.com) Vendor Status: Vendor has patch and bulletin CVE: CAN-2001-015 Reference: www.atstake.com/research/advisories/2001/a020501-1.txt

Summary:

    Network DDE is a system service that is enabled in Windows 2000 by

default. Due to design flaws, it allows arbitrary commands to be executed with SYSTEM user privileges.

    This is a privilege escalation vulnerability. Executing code with

SYSTEM privileges allows an attacker to have full administrative control of the workstation or server. This vulnerability can be used by an attacker to elevate privileges on a workstation or server where he or she has the logon privileges as a normal user. It can also be used to completely compromise a server when combined with another lesser vulnerability that allows code execution as a low privileged user.

    When the "Network DDE DSDM" service is started, the WINLOGON

process creates an invisible window for inter-process communication with various NetDDE components. The WINLOGON process is running as the SYSTEM user. When a particular undocumented structure is passed to WINLOGON through the "DDE Copy Data" window message mechanism, it can specify an arbitrary command line to run in the WINLOGON context.

    This functionality is supposedly the back end by which trusted

service NetDDE shares have their server applications started automatically when a NetDDE connection is requested but the server hasn't started yet.

Vendor Response:

    Microsoft has issued a bulletin describing this topic:
    http://www.microsoft.com/technet/security/bulletin/MS01-007.asp

    Microsoft has issued a patch:
    http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27526

Advisory Reference:

http://www.atstake.com/research/advisories/2001/a020501-1.txt

The advisory contains additional information. We encourage those effected by this issue to read the advisory. All vulnerablity database maintainers should reference the above ** advisory reference URL to refer to this advisory.

Revisions:

02/05/2001: Initial Release 02/08/2001: Added additional vulnerable platforms: Windows 2000 Terminal

        Services and Citrix Metaframe.

Advisory policy: http://www.atstake.com/research/policy/ For more advisories: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc

Copyright 2001 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE----- Version: PGP 7.0

iQA/AwUBOoMfOlESXwDtLdMhEQIOmQCfS9dgz9Jc0Xyny+JhZR+7/QHZo0MAnipW 8p675HoiabYdzlY9dj+AhaJ6 =4vcT -----END PGP SIGNATURE-----