Vulnerability Note VU#587587

Microsoft Windows 2000 Telnet Service uses named pipes with predictable names

Original Release date: 18 Sep 2001 | Last revised: 18 Sep 2001


The Microsoft Windows 2000 Telnet Service contains a vulnerability that allows unprivileged local users to execute arbitrary code with elevated privileges.


The Microsoft Windows 2000 Telnet Service creates a named pipe to share information between the processes that handle each telnet session. The name of each pipe is determined using an algorithm that is easily predictable by other unrelated processes running on the system. In addition, if the name chosen by the Telnet Service matches that of an existing named pipe, the Telnet Service will use the existing named pipe and will execute any code attached to it. These three factors combine to expose a vulnerability that allows users with local access to execute arbitrary code with the privileges of the Telnet Service, namely the Local System security context.

Remote attackers who wish to exploit this vulnerability must first gain sufficient access to upload a program to the server and execute it. This program would create a named pipe and attach the malicious code to be run. The attacker would then attempt to make a telnet connection to the server, causing the Telnet Service to use the named pipe provided by the attacker's program. At this point, the attacker's code would be running in the Local System security context and could be used to take full control of the Windows 2000 server.


This vulnerability allows unprivileged local users to execute arbitrary code in the Local System security context.


Apply a patch from your vendor

Microsoft has released a patch for this vulnerability; for further information, please consult the systems affected section below.

Disable telnet service

Sites that do not require the Windows 2000 Telnet Service may disable it to prevent exploitation of this vulnerability.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
MicrosoftAffected-14 Sep 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This document was written by Jeffrey P. Lanza and is based on information provided by Microsoft.

Other Information

  • CVE IDs: CAN-2001-0349
  • Date Public: 07 Jun 2001
  • Date First Published: 18 Sep 2001
  • Date Last Updated: 18 Sep 2001
  • Severity Metric: 15.75
  • Document Revision: 14


If you have feedback, comments, or additional information about this vulnerability, please send us email.