__________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

       Windows 2000 Default Permissions Could Allow Trojan Horse Program
                     [Microsoft Security Bulletin MS02-064]

November 1, 2002 14:00 GMT                                        Number N-012
______________________________________________________________________________
PROBLEM:       On Windows 2000, the default permissions provide the Everyone 
               group with Full access (Everyone:F) on the system root folder 
               (typically, C:\). 
PLATFORM:      Microsoft Windows 2000 
DAMAGE:        An attacker could mount a Trojan horse attack against other 
               users of the same system by creating a program in the system 
               root with the same name as some commonly used program, then 
               waiting for another user to subsequently log onto the system 
               and invoke the program. 
SOLUTION:      Change access permissions on the Windows 2000 system root 
               directory. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. The systems primarily at risk from this 
ASSESSMENT:    vulnerability would be workstations that are shared between 
               multiple users, and local terminal server sessions. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-012.shtml 
 ORIGINAL BULLETIN:                                                           
                     http://www.microsoft.com/technet/treeview/default.asp?
                        url=/technet/security/bulletin/MS02-064.asp 
______________________________________________________________________________
[***** Start Microsoft Security Bulletin MS02-064 *****]


Microsoft Security Bulletin MS02-064 

Windows 2000 Default Permissions Could Allow Trojan Horse Program (Q327522)
Originally posted: October 30, 2002

Summary

Who should read this bulletin: System administrators running Microsoft® Windows® 2000. 

Impact of vulnerability: Trojan Horse program execution 

Maximum Severity Rating: Moderate 

Recommendation: Administrators should consider changing access permissions on the 
Windows 2000 system root directory. 

Affected Software: 

Microsoft Windows 2000 



Technical details

Technical description: 


On Windows 2000, the default permissions provide the Everyone group with Full access 
(Everyone:F) on the system root folder (typically, C:\). In most cases, the system 
root is not in the search path. However, under certain conditions – for instance, 
during logon or when applications are invoked directly from the Windows desktop via 
Start | Run – it can be. 

This situation gives rise to a scenario that could enable an attacker to mount a 
Trojan horse attack against other users of the same system, by creating a program in 
the system root with the same name as some commonly used program, then waiting for 
another user to subsequently log onto the system and invoke the program. The Trojan 
horse program would execute with the user’s own privileges, thereby enabling it to 
take any action that the user could take. 

The simplest attack scenario would be one in which the attacker knew that a particular 
system program was invoked by a logon script. In that case, the attacker could create 
a Trojan horse with the same name as the system program, which would then be executed 
by the logon script the next time someone logged onto the system. Other scenarios 
almost certainly would require significantly greater user interaction – for instance, 
convincing a user to start a particular program via Start | Run – and would 
necessitate the use of social engineering. 

The systems primarily at risk from this vulnerability would be workstations that are 
shared between multiple users, and local terminal server sessions. Other systems would 
be at significantly less risk: 


Workstations that are not shared between users would be at no risk, because the 
attacker would require the ability to log onto the system in order to place the Trojan 
horse. 

Servers would be at no risk, if standard best practices have been followed that 
advocate only allowing trusted users to log onto them. 

Remote Terminal server sessions would be at little risk, because each user’s 
environment is isolated. That is, the system root is never the current folder – 
instead, the user’s Documents and Settings folder is, but the permissions on this 
folder would not enable an attacker to place a Trojan horse there. 


Mitigating factors: 

An attacker would require the ability to log onto the system interactively in order to 
place the Trojan horse program. It could not be placed remotely 

As discussed above, dedicated workstations, servers and remote terminal server 
sessions would be at less risk (or, in some cases, none at all) from the 
vulnerability. 


Severity Rating:  
              Internet Servers   Intranet Servers   Client Systems 
Windows 2000       Low               Low               Moderate 

The above assessment is based on the types of systems affected by the vulnerability, 
their typical deployment patterns, and the effect that exploiting the vulnerability 
would have on them. 

Vulnerability identifier: CAN-2002-1184 

Tested Versions:
Microsoft tested Windows NT, Windows 2000, and Windows XP to assess whether they are 
affected by this vulnerability.


Patch availability

Download locations for this patch 
This vulnerability requires an administrative procedure rather than a patch. The 
needed changes are discussed in the FAQ. 



Additional information about this patch

Installation platforms: 
This permissions change can be made on systems running any version of Windows 2000. 

Caveats:
None 


Obtaining other security patches 
Patches for other security issues are available from the following locations: 

Security patches are available from the Microsoft Download Center, and can be most 
easily found by doing a keyword search for "security_patch". 

Patches for consumer platforms are available from the WindowsUpdate web site 


Other information: 

Acknowledgments
Microsoft thanks  Jason Miller of Security Focus (http://www.securityfocus.com) for 
reporting this issue to us and working with us to protect customers. 

Support: 

Microsoft Knowledge Base article Q327522 discusses this issue and will be available 
approximately 24 hours after the release of this bulletin. Knowledge Base articles can 
be found on the Microsoft Online Support web site. 

Technical support is available from Microsoft Product Support Services. There is no 
charge for support calls associated with security patches. 

Security Resources: The Microsoft TechNet Security Web Site provides additional 
information about security in Microsoft products. 


Disclaimer: 
The information provided in the Microsoft Knowledge Base is provided "as is" without 
warranty of any kind. Microsoft disclaims all warranties, either express or implied, 
including the warranties of merchantability and fitness for a particular purpose. In 
no event shall Microsoft Corporation or its suppliers be liable for any damages 
whatsoever including direct, indirect, incidental, consequential, loss of business 
profits or special damages, even if Microsoft Corporation or its suppliers have been 
advised of the possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for consequential or incidental damages so the foregoing 
limitation may not apply. 

Revisions: 


V1.0 (October 30, 2002): Bulletin Created. 



[***** End Microsoft Security Bulletin MS02-064 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Mircrosoft for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-003: Microsoft Cumulative Patch for SQL Server
N-004: SGI rpcbind User-level Vulnerabilities
N-005: Apache 1.3.27 HTTP Server Release
N-006: HP pam_authz in LDAP-UX Integration Vulnerabilities
N-007: Microsoft Outlook Express Unchecked Buffer in S/MIME Vulnerability
N-008: Microsoft Elevation of Privilege in SQL Server Web Tasks
N-009: MIT krb5  Buffer Overflow in kadmind4
CIACTech03-001: Spamming using the Windows Messenger Service
N-010: Web-Based Enterprise Management on Solaris 8 Installs Insecure Files 
N-011: Cumulative Patch for Internet Information Service