[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Vulnerability Report For Microsoft Windows NT 4.0 Terminal Server GINA

Title: Vulnerability Report For Microsoft Windows NT 4.0 Terminal Server GINA
Released by: CORE SDI
Date: 8th November 2000
Printable version: Click here 
                                                            CORE SDI

                                                http://www.core-sdi.com



         Vulnerability Report For Microsoft Windows NT 4.0 Terminal Server

GINA



Date Published: 2000-11-08



Advisory ID: CORE-20001108



Bugtraq ID: 1924



CVE CAN: Non currently assigned.



Title: Windows NT 4.0 Terminal Server RegAPI.DLL Buffer Overflow



Class: Boundary Error Condition (Buffer Overflow)



Remotely Exploitable: Yes



Locally Exploitable: Yes



Release Mode: COORDINATED RELEASE



Vulnerability Description:



  GINA stands for Graphical Identification aNd Authorization and describes

  an interface for the validation of logon credentials. The default

  implementation is MSGINA.DLL.



  The MSGINA.DLL in Microsoft Windows 4.0 is responsable of performing the

  authentication policy of the interactive logon model, and is expected to

  perform all identification and authentication user interactions.



  Microsoft Windows NT 4.0 Terminal Server ships with a remotely and locally

  exploitable buffer overflow in a Dinamically Linked Library  (RegAPI.DLL)

  that MSGINA.DLL uses.



  It could be exploited by entering a long string in the username field.

  This buffer overflow when being triggered will result in a system crash

  (if triggered locally) or a connection drop (if triggered remotely).



  By providing a specially crafted username an attacker has the ability

  to obtain access to the Terminal Server and execute arbitrary commands

  as user SYSTEM.



Vulnerable Packages/Systems:



  Microsoft Windows NT 4.0 Terminal Server Edition SP6a and below



Solution/Vendor Information/Workaround:



  Microsoft has released a fix for the problem, it can be obtained

  from http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25565



  More Information:



  Please see the following references for more information related

  to this issue.



  Frequently Asked Questions:



    Microsoft Security Bulletin MS00-087,

    http://www.microsoft.com/technet/security/bulletin/fq00-087.asp



   Microsoft Knowledge Base article Q277910 discusses this issue and

   will be available soon.



   Microsoft TechNet Security web site,

   http://www.microsoft.com/technet/security/default.asp



   Additionally, advisories and information on security issues  concerning

   Windows NT 4.0 Terminal Server Edition can be  obtained from:



   http://www.securityfocus.com/bid/571

   http://www.microsoft.com/technet/security/bulletin/fq99-028.asp



  Other advisories from CORE SDI can be obtained from:

   http://www.core-sdi.com/english/publications.html



Vendor notified on: October 3rd, 2000



Credits:



  This vulnerability was discovered by Bruno Acselrad of

  CORE SDI S.A., Buenos Aires, Argentina.



  We wish to thank the Microsoft Security Team for their prompt

  acknowledge and response to the problem report.



  This advisory was drafted with the help of the SecurityFocus.com

  Vulnerability Help Team. For more information or assistance drafting

  advisories please mail vulnhelp@securityfocus.com.



Technical Description - Exploit/Concept Code:



  Windows NT 4.0 Terminal Server has a remote and locally exploitable

  buffer overflow in the GINA subsystem.



  Entering a long username in the username edit box will make the

  system crash (if done locally) or drop the connection (if done remotely).



  The problem occurs when MSGINA.DLL calls the ReUserConfigQuery() function

  in RegAPI.DLL.



  Within that function wscpy() is first called and then wscat() appends to a

  local variable of fixed lenght a fixed key and the username string.



  This local variable can be overflowed resulting in the execution of

  arbitrary commands on the vulnerable host.



DISCLAIMER:

  The contents of this advisory are copyright (c) 2000 CORE SDI S.A.

  and may be distributed freely provided that no fee is charged for this

  distribution and proper credit is given.



$Id: NT4TS-gina-advisory.txt,v 1.6 2000/11/09 00:03:51 iarce Exp $



---



"Understanding. A cerebral secretion that enables one having it to know

 a house from a horse by the roof on the house,

 It's nature and laws have been exhaustively expounded by Locke,

 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce





==================[ CORE Seguridad de la Informacion S.A. ]=========

Iván Arce

Presidente

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A

email   : iarce@core-sdi.com

http://www.core-sdi.com

Florida 141 2do cuerpo Piso 7

C1005AAG Buenos Aires, Argentina.

Tel/Fax : +(54-11) 4331-5402

=====================================================================











--- For a personal reply use iarce@core-sdi.com






(C) 1999-2000 All rights reserved.