search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Microsoft Remote Access Service API contains buffer overflow vulnerability via phonebook entries

Vulnerability Note VU#13121

Original Release Date: 2002-06-13 | Last Revised: 2002-06-25

Overview

The Microsoft Remote Access Service API contains a vulnerability that allows local attackers to execute arbitrary code with system privileges.

Description

The Microsoft Remote Access Service (RAS) Application Programming Interface (API) allows Windows programs to make dial-up connections to remote servers. There is a buffer overflow in the RAS API that allows an attacker to execute arbitrary code with LocalSystem privileges. To exploit this vulnerability, the attacker must log into an account on the affected system and create a RAS phonebook entry. When any program attempts to use the RAS API to parse the malicious phonebook entry, the entry will cause a buffer overflow and allow the attacker to execute arbitrary code.

Once the malicious phonebook entry has been created, the attacker may exploit the vulnerability by initiating a remote connection. However, the attacker may also choose to delay exploitation and allow a different, unsuspecting user to exploit the vulnerability on the attacker's behalf. Since any attempt by the RAS API to parse the phonebook entry may trigger this vulnerability, the victim user need not even attempt to make a connection. The victim might trigger the vulnerability by simply viewing the properties of the crafted phonebook entry.

According to Microsoft Security Bulletin MS99-016, this vulnerability affects Microsoft Windows NT 4.0.

Impact

Attackers who are able to create malicious RAS phonebook entries can execute arbitrary code with LocalSystem privileges. In some cases, failed attempts to exploit this vulnerability will cause the affected host to crash.

Solution

Apply a patch from your vendor


Microsoft has released Security Bulletin MS99-016 to address this issue. For more detailed information and upgrade instructions, please see

http://www.microsoft.com/technet/security/bulletin/MS99-016.asp

Prevent users from accessing the Remote Access Service


For systems that do not require RAS, it may be possible to prevent exploitation of this vulnerability by uninstalling or disabling the Remote Access Service.

Prevent users from creating or modifying RAS phonebook entries

Attackers must be able to create or modify RAS phonebook entries to exploit this vulnerability. Therefore, it may be possible to utilize access control measures such as NTFS file permissions to prevent users from exploiting this vulnerability.

Vendor Information

13121
 
Expand all

Microsoft Corporation Affected

Updated:  June 13, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Microsoft has released Security Bulletin MS99-016 to address this issue. For more detailed information and upgrade instructions, please see


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was discovered by Mnemonix (aka David Litchfield).

This document was written by Jeffrey P. Lanza and is based on information provided by Microsoft and David Litchfield.

Other Information

CVE IDs: CVE-1999-0715
Severity Metric: 16.88
Date Public: 1999-05-19
Date First Published: 2002-06-13
Date Last Updated: 2002-06-25 20:33 UTC
Document Revision: 21

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis