Flaws in Active Directory and NetMeeting Allow Unauthorized Party to Crash and Potentially Take Control of User’s Systems
BOSTON, MA: July 2, 2003 – Core Security Technologies, providing the first-to-market penetration testing product for assessing specific information security risks, today published vulnerabilities discovered in Microsoft’s Active Directory and NetMeeting application. The vulnerability in Microsoft’s Active Directory allows an attacker to crash, force a reboot and potentially assume control of any Windows domain controller typically a Windows 2000 server running the Active Directory service. The vulnerability in Microsoft’s NetMeeting application allows an attacker to create a file in any place on the user’s network, potentially taking control of the system. Both vulnerabilities can now be patched with the June 26th release of Windows 2000 Service Pack 4.
Microsoft’s Active Directory is designed for distributed computing environments and is an essential component of the Windows 2000 architecture. It allows an organization to centrally manage and share information while acting as the central authority for network security. The vulnerability can be triggered when an LDAP (Lightweight Directory Access Protocol) version 3 search request with more than 1000 "AND" statements is sent to the server. The result is a stack overflow and a subsequent crash of the LSASS.exe service.
One of the features of NetMeeting, which is used to hold audio and video-conferences, is a "File Transfer" capability that allows users to send one or more files back and forth during a NetMeeting conference. Core researchers discovered a vulnerability which allows an attacker to upload a file using filenames containing “..\..\..” This enables an attacker to create a file in any place on the user’s network, subsequently execute arbitrary code, and ultimately take control of the system. The vulnerability allows the attacker to circumvent the directory where NetMeeting usually stores incoming files.
“We discovered these flaws in March during one of our regular ‘Bug Weeks.’ Since then we have been working with the vendor to address this issue,” said Ivan Arce, CTO of Core Security Technologies. “We are pleased that we could make this announcement subsequent to the release of their patch, alerting customers to these critical issues.”
For the Active Directory vulnerability, a patch is included in the recently released Windows 2000 Service Pack 4,
For the NetMeeting vulnerability, patches for Windows 2000 and Windows XP are available at:
Other Active Directory Vulnerability Related Facts:
· The LDAP request that triggers the bug does not need to be authenticated. Any user with network access to
the domain controller can exploit the vulnerability.
· The ability to execute arbitrary code on vulnerable servers has not been proved but is not discarded.
Other NetMeeting Vulnerability Related Facts:
A dialog box does appear at the end of the file transfer but the user is not prompted to reject or accept the file transfer. Since NetMeeting conferences can be shutdown by sending malformed packets (for example, by arbitrarily altering data sent in packets interchanged during a chat conversation), the action can be hidden from the user. Core also discovered that by sending malformed packets during several different times during a connection, all participants or a specific participant could be thrown out of the conversation. This could help to hide malicious actions such as the one described above.
About Core Security Technologies
Core Security Technologies develops strategic security solutions for Fortune 1000 corporations, government agencies and military organizations. The company offers information security software and services designed to help customers easily and efficiently assess their specific information security risks. The company’s penetration testing software products are complimented by consulting services that include penetration testing, software security auditing, and related training. Headquartered in Boston, MA, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.
# # #