The Microsoft Windows 2000 Telnet Service contains a vulnerability that allows unprivileged local users to execute arbitrary code with elevated privileges.
The Microsoft Windows 2000 Telnet Service creates a named pipe to share information between the processes that handle each telnet session. The name of each pipe is determined using an algorithm that is easily predictable by other unrelated processes running on the system. In addition, if the name chosen by the Telnet Service matches that of an existing named pipe, the Telnet Service will use the existing named pipe and will execute any code attached to it. These three factors combine to expose a vulnerability that allows users with local access to execute arbitrary code with the privileges of the Telnet Service, namely the Local System security context.
Remote attackers who wish to exploit this vulnerability must first gain sufficient access to upload a program to the server and execute it. This program would create a named pipe and attach the malicious code to be run. The attacker would then attempt to make a telnet connection to the server, causing the Telnet Service to use the named pipe provided by the attacker's program. At this point, the attacker's code would be running in the Local System security context and could be used to take full control of the Windows 2000 server.
This vulnerability allows unprivileged local users to execute arbitrary code in the Local System security context.
Apply a patch from your vendor
Disable telnet service
This document was written by Jeffrey P. Lanza and is based on information provided by Microsoft.
|Date First Published:||2001-09-18|
|Date Last Updated:||2001-09-18 23:27 UTC|