Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:906
HistoryNov 09, 2000 - 12:00 a.m.

Windows NT 4.0 Terminal Server RegAPI.DLL Buffer Overflow

2000-11-0900:00:00
vulners.com
9
JSON
                                                        CORE SDI
                                            http://www.core-sdi.com

     Vulnerability Report For Microsoft Windows NT 4.0 Terminal Server

GINA

Date Published: 2000-11-08

Advisory ID: CORE-20001108

Bugtraq ID: 1924

CVE CAN: Non currently assigned.

Title: Windows NT 4.0 Terminal Server RegAPI.DLL Buffer Overflow

Class: Boundary Error Condition (Buffer Overflow)

Remotely Exploitable: Yes

Locally Exploitable: Yes

Release Mode: COORDINATED RELEASE

Vulnerability Description:

GINA stands for Graphical Identification aNd Authorization and describes
an interface for the validation of logon credentials. The default
implementation is MSGINA.DLL.

The MSGINA.DLL in Microsoft Windows 4.0 is responsable of performing the
authentication policy of the interactive logon model, and is expected to
perform all identification and authentication user interactions.

Microsoft Windows NT 4.0 Terminal Server ships with a remotely and locally
exploitable buffer overflow in a Dinamically Linked Library (RegAPI.DLL)
that MSGINA.DLL uses.

It could be exploited by entering a long string in the username field.
This buffer overflow when being triggered will result in a system crash
(if triggered locally) or a connection drop (if triggered remotely).

By providing a specially crafted username an attacker has the ability
to obtain access to the Terminal Server and execute arbitrary commands
as user SYSTEM.

Vulnerable Packages/Systems:

Microsoft Windows NT 4.0 Terminal Server Edition SP6a and below

Solution/Vendor Information/Workaround:

Microsoft has released a fix for the problem, it can be obtained
from http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25565

More Information:

Please see the following references for more information related
to this issue.

Frequently Asked Questions:

Microsoft Security Bulletin MS00-087,
http://www.microsoft.com/technet/security/bulletin/fq00-087.asp

Microsoft Knowledge Base article Q277910 discusses this issue and
will be available soon.

Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp

Additionally, advisories and information on security issues concerning
Windows NT 4.0 Terminal Server Edition can be obtained from:

http://www.securityfocus.com/bid/571
http://www.microsoft.com/technet/security/bulletin/fq99-028.asp

Other advisories from CORE SDI can be obtained from:
http://www.core-sdi.com/english/publications.html

Vendor notified on: October 3rd, 2000

Credits:

This vulnerability was discovered by Bruno Acselrad of
CORE SDI S.A., Buenos Aires, Argentina.

We wish to thank the Microsoft Security Team for their prompt
acknowledge and response to the problem report.

This advisory was drafted with the help of the SecurityFocus.com
Vulnerability Help Team. For more information or assistance drafting
advisories please mail [email protected].

Technical Description - Exploit/Concept Code:

Windows NT 4.0 Terminal Server has a remote and locally exploitable
buffer overflow in the GINA subsystem.

Entering a long username in the username edit box will make the
system crash (if done locally) or drop the connection (if done remotely).

The problem occurs when MSGINA.DLL calls the ReUserConfigQuery() function
in RegAPI.DLL.

Within that function wscpy() is first called and then wscat() appends to a
local variable of fixed lenght a fixed key and the username string.

This local variable can be overflowed resulting in the execution of
arbitrary commands on the vulnerable host.

DISCLAIMER:
The contents of this advisory are copyright (c) 2000 CORE SDI S.A.
and may be distributed freely provided that no fee is charged for this
distribution and proper credit is given.

$Id: NT4TS-gina-advisory.txt,v 1.6 2000/11/09 00:03:51 iarce Exp $

"Understanding. A cerebral secretion that enables one having it to know
a house from a horse by the roof on the house,
It's nature and laws have been exhaustively expounded by Locke,
who rode a house, and Kant, who lived in a horse." - Ambrose Bierce

==================[ CORE Seguridad de la Informacion S.A. ]=========
Ivбn Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A
email : [email protected]
http://www.core-sdi.com
Florida 141 2do cuerpo Piso 7
C1005AAG Buenos Aires, Argentina.
Tel/Fax : +(54-11) 4331-5402

— For a personal reply use [email protected]

JSON