-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
* Please note revision section below * @stake Inc. www.atstake.com Security Advisory
Advisory Name: NetDDE Message Vulnerability Release Date: 02/05/2001 [Updated on 2/08/2001] Application: Network DDE (system component) Platform: Windows 2000 (up to and including Service Pack 1) [Affects Professional, Server, Advanced Server, Terminal Services and Citrix Metaframe configurations] Severity: Any local user can obtain SYSTEM privileges Author: DilDog (firstname.lastname@example.org) Vendor Status: Vendor has patch and bulletin CVE: CAN-2001-015 Reference: www.atstake.com/research/advisories/2001/a020501-1.txt
Network DDE is a system service that is enabled in Windows 2000 by
default. Due to design flaws, it allows arbitrary commands to be executed with SYSTEM user privileges.
This is a privilege escalation vulnerability. Executing code with
SYSTEM privileges allows an attacker to have full administrative control of the workstation or server. This vulnerability can be used by an attacker to elevate privileges on a workstation or server where he or she has the logon privileges as a normal user. It can also be used to completely compromise a server when combined with another lesser vulnerability that allows code execution as a low privileged user.
When the "Network DDE DSDM" service is started, the WINLOGON
process creates an invisible window for inter-process communication with various NetDDE components. The WINLOGON process is running as the SYSTEM user. When a particular undocumented structure is passed to WINLOGON through the "DDE Copy Data" window message mechanism, it can specify an arbitrary command line to run in the WINLOGON context.
This functionality is supposedly the back end by which trusted
service NetDDE shares have their server applications started automatically when a NetDDE connection is requested but the server hasn't started yet.
Microsoft has issued a bulletin describing this topic: http://www.microsoft.com/technet/security/bulletin/MS01-007.asp Microsoft has issued a patch: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27526
The advisory contains additional information. We encourage those effected by this issue to read the advisory. All vulnerablity database maintainers should reference the above ** advisory reference URL to refer to this advisory.
02/05/2001: Initial Release 02/08/2001: Added additional vulnerable platforms: Windows 2000 Terminal
Services and Citrix Metaframe.
Advisory policy: http://www.atstake.com/research/policy/ For more advisories: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc
Copyright 2001 @stake, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE----- Version: PGP 7.0
iQA/AwUBOoMfOlESXwDtLdMhEQIOmQCfS9dgz9Jc0Xyny+JhZR+7/QHZo0MAnipW 8p675HoiabYdzlY9dj+AhaJ6 =4vcT -----END PGP SIGNATURE-----