Vulnerability Report For Microsoft Windows NT 4.0 Terminal Server GINA

Advisory ID Internal
CORE-21108

Bugtraq ID: 1924

CVE Name: CVE-2000-1149

Title: Windows NT 4.0 Terminal Server RegAPI.DLL Buffer Overflow

Class: Boundary Error Condition (Buffer Overflow)

Remotely Exploitable: Yes

Locally Exploitable: Yes

Release Mode: COORDINATED RELEASE


Vulnerability Description:

GINA stands for Graphical Identification and Authorization and describes an interface for the validation of logon credentials. The default implementation is MSGINA.DLL.

The MSGINA.DLL in Microsoft Windows 4.0 is responsible of performing the authentication policy of the interactive logon model, and is expected to perform all identification and authentication user interactions.

Microsoft Windows NT 4.0 Terminal Server ships with a remotely and locally exploitable buffer overflow in a Dynamically Linked Library (RegAPI.DLL) that MSGINA.DLL uses.

It could be exploited by entering a long string in the username field.

This buffer overflow when being triggered will result in a system crash (if triggered locally) or connections drop (if triggered remotely).

By providing a specially crafted username an attacker has the ability to obtain access to the Terminal Server and execute arbitrary commands as user SYSTEM.

 

Vulnerable Packages/Systems:

Microsoft Windows NT 4.0 Terminal Server Edition SP6 and below.


Solution/Vendor Information/Workaround:

Microsoft has released a fix for the problem, it can be obtained from

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-087

More Information:
Please see the following references for more information related to this issue.

Frequently Asked Questions:

Microsoft Security Bulletin MS00-087,
http://www.microsoft.com/technet/security/bulletin/fq00-087.asp

Microsoft Knowledge Base article Q277910 discusses this issue and will be available soon.

Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp

Additionally, advisories and information on security issues concerning Windows NT 4.0 Terminal Server Edition can be obtained from:
http://www.securityfocus.com/bid/571
http://www.microsoft.com/technet/security/bulletin/fq99-028.asp

Vendor notified on: October 3rd, 2000

 

Credits:

This vulnerability was discovered by Bruno Acselrad and Agustín Azubel Friedman from CORE SDI S.A., Buenos Aires, Argentina.

We wish to thank the Microsoft Security Team for their prompt acknowledge and response to the problem report.

This advisory was drafted with the help of the SecurityFocus.com Vulnerability Help Team. For more information or assistance drafting advisories please mail [email protected].

 

Technical Description - Exploit/Concept Code:

Windows NT 4.0 Terminal Server has a remote and locally exploitable buffer overflow in the GINA subsystem.

Entering a long username in the username edit box will make the system crash (if done locally) or drop the connection (if done remotely).

The problem occurs when MSGINA.DLL calls the ReUserConfigQuery() function in RegAPI.DLL.

Within that function wscpy() is first called and then wscat() appends to a local variable of fixed length a fixed key and the username string.

This local variable can be overflowed resulting in the execution of arbitrary commands on the vulnerable host.

 

DISCLAIMER:
The contents of this advisory are copyright (c) 2000 CORE SDI S.A. and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.