Microsoft late Wednesday issued patches for three
security holes affecting its Point-to-Point Tunneling Protocol (PPTP),
Windows 2000 platform and versions of the Internet Information Server (IIS).
The Redmond, Wash.-based software giant warned that the most critical of the three
bugs was an unchecked buffer in PPTP
enable denial-of-service (DoS) attacks.
Two other security alerts, which bring the total announced by Microsoft this
year to 64, cover fixes for the default permissions in Windows 2000 that
could allow Trojan Horse program execution and a cumulative patch that plugs
four house in IIS versions 4.0, 5.0 or 5.1.
PPTP Implementation
In its advisory warning of an unchecked buffer in
the PPTP implementation, Microsoft said the “critical” vulnerability could
lead to denial-of-service attacks against customers using Windows 2000 or
Windows XP.
“Administrators offering PPTP services should install the patch immediately;
users who utilize remote access using PPTP should consider installing the
patch,” Microsoft warned. (Download patch locations: Windows
2000; Windows
XP 32-bit and Windows
XP 64-bit.
Microsoft said the unchecked buffer was detected in a section of code that
processes the control data used to establish, maintain and tear down PPTP
connections. “By delivering specially malformed PPTP control data to an
affected server, an attacker could corrupt kernel memory and cause the
system to fail, disrupting any work in progress on the system,” the company said.
Windows 2000 and Windows XP support the Point-to-Point Tunneling Protocol
(PPTP), a Virtual Private Networking (VPN) technology that is implemented as
part of Remote Access Services (RAS). The protocol was developed jointly by
Microsoft, U.S. Robotics, and several remote access vendor companies (known
collectively as the PPTP Forum).
Microsoft warned that the vulnerability could be exploited against any
server that offers PPTP. If a workstation had been configured to operate as
a RAS server offering PPTP services, it could likewise be attacked,
according to the advisory. “Workstations acting as PPTP clients could only
be attacked during active PPTP sessions. Normal operation on any attacked
system could be restored by restarting the system,” it said.
Because of how the overrun occurs, Microsoft said it could not find any
reliable means of using it to gain control over a system. “Servers would
only be at risk from the vulnerability if they had been specifically
configured to offer PPTP services. PPTP does not run by default on any
Windows system. Likewise, although it is possible to configure a workstation
to offer PPTP services, none operate in this capacity by default.
Cumulative Patch for IIS
The 62nd security alert from Redmond came in the
form of a cumulative patch to squash four bugs in IIS versions 4.0, 5.0 or
5.1, the most serious of which could enable applications on a server to gain
system-level privileges.
The patch for Microsoft’s Internet Information Server
security patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a,
and all security patches released to date for IIS 5.0 and 5.1, the company said.
In addition to including previously released fixes, the cumulative patch
also includes fixes for a privilege elevation vulnerability affecting the
way ISAPIs are launched when an IIS 4.0, 5.0 or 5.1 server is configured to
run them out of process.
By design, Microsoft said the hosting process (dllhost.exe) should run only
in the security context of the IWAM_computername account; however, it
can actually be made to acquire LocalSystem privileges under certain
circumstances, thereby enabling an ISAPI to do likewise.
Also patched is a new denial-of-service vulnerability that results because
of a flaw in the way IIS 5.0 and 5.1 allocate memory for WebDAV requests. If
a WebDAV request were malformed in a particular way, the advisory said IIS
would allocate an extremely large amount of memory on the server. By sending
several such requests, an attacker could cause the server to fail.
A vulnerability (also newly discovered) involves the operation of the script
source access permission in IIS 5.0 that operates in addition to the normal
read/write permissions for a virtual directory, and regulates whether
scripts, .ASP files and executable file types can be uploaded to a
write-enabled virtual directory.
Microsoft said a typo error in the table that defines the file types subject
to this permission has the effect of omitting .COM files from the list of
files subject to the permission. As a result, a user would need only ‘write
access’ to upload such a file.
running Windows 2000 of a bug in the default permissions that could allow
the execution of Trojan Horse programs.
This bug, which was discovered by Security Focus, has a “moderate”
rating and there is no patch. Instead, Microsoft recommends that
administrators change the access permissions on the Windows 2000 system root
directory.
It said the problem lies in the default permissions that provide the
Everyone group with Full access (Everyone:F) on the system root folder
(typically, C:). In most cases, the system root is not in the search path
but, under certain conditions, it can be, causing a scenario that could
enable an attacker to mount a Trojan horse attack against other users of the
same system.
Microsoft said an attacker could create a program in the system root with
the same name as some commonly used program, then wait for another user to
subsequently log onto the system and invoke the program. “The Trojan horse
program would execute with the user’s own privileges, thereby enabling it to
take any action that the user could take,” it warned.
“The systems primarily at risk from this vulnerability would be workstations
that are shared between multiple users, and local terminal server sessions.”