search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Windows 2000 Telnet Service uses named pipes with predictable names

Vulnerability Note VU#587587

Original Release Date: 2001-09-18 | Last Revised: 2001-09-18


The Microsoft Windows 2000 Telnet Service contains a vulnerability that allows unprivileged local users to execute arbitrary code with elevated privileges.


The Microsoft Windows 2000 Telnet Service creates a named pipe to share information between the processes that handle each telnet session. The name of each pipe is determined using an algorithm that is easily predictable by other unrelated processes running on the system. In addition, if the name chosen by the Telnet Service matches that of an existing named pipe, the Telnet Service will use the existing named pipe and will execute any code attached to it. These three factors combine to expose a vulnerability that allows users with local access to execute arbitrary code with the privileges of the Telnet Service, namely the Local System security context.

Remote attackers who wish to exploit this vulnerability must first gain sufficient access to upload a program to the server and execute it. This program would create a named pipe and attach the malicious code to be run. The attacker would then attempt to make a telnet connection to the server, causing the Telnet Service to use the named pipe provided by the attacker's program. At this point, the attacker's code would be running in the Local System security context and could be used to take full control of the Windows 2000 server.


This vulnerability allows unprivileged local users to execute arbitrary code in the Local System security context.


Apply a patch from your vendor

Microsoft has released a patch for this vulnerability; for further information, please consult the systems affected section below.

Disable telnet service

Sites that do not require the Windows 2000 Telnet Service may disable it to prevent exploitation of this vulnerability.

Vendor Information


Microsoft Affected

Updated:  September 14, 2001



Vendor Statement

Microsoft has addressed this vulnerability in the following Microsoft Security Bulletin

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has archived Microsoft's announcement of MS01-031 at

CVSS Metrics

Group Score Vector



This document was written by Jeffrey P. Lanza and is based on information provided by Microsoft.

Other Information

CVE IDs: CVE-2001-0349
Severity Metric: 15.75
Date Public: 2001-06-07
Date First Published: 2001-09-18
Date Last Updated: 2001-09-18 23:27 UTC
Document Revision: 14

Sponsored by CISA.