Software Engineering Institute

The Microsoft Windows 2000 Telnet Service creates a named pipe to share information between the processes that handle each telnet session. The name of each pipe is determined using an algorithm that is easily predictable by other unrelated processes running on the system. In addition, if the name chosen by the Telnet Service matches that of an existing named pipe, the Telnet Service will use the existing named pipe and will execute any code attached to it. These three factors combine to expose a vulnerability that allows users with local access to execute arbitrary code with the privileges of the Telnet Service, namely the Local System security context.

Remote attackers who wish to exploit this vulnerability must first gain sufficient access to upload a program to the server and execute it. This program would create a named pipe and attach the malicious code to be run. The attacker would then attempt to make a telnet connection to the server, causing the Telnet Service to use the named pipe provided by the attacker's program. At this point, the attacker's code would be running in the Local System security context and could be used to take full control of the Windows 2000 server.

This vulnerability allows unprivileged local users to execute arbitrary code in the Local System security context.

Apply a patch from your vendor

Microsoft has released a patch for this vulnerability; for further information, please consult the systems affected section below.

Disable telnet service

Sites that do not require the Windows 2000 Telnet Service may disable it to prevent exploitation of this vulnerability.