Security Bulletin

Microsoft Security Bulletin MS03-025 - Important

Flaw in Windows Message Handling through Utility Manager Could Enable Privilege Elevation (822679)

Published: July 09, 2003 | Updated: April 13, 2004

Version: 1.2

Originally posted: July 9, 2003
Updated: April 13, 2004
Version: 1.2

Summary

Who should read this bulletin:  Customers using Microsoft® Windows® 2000

Impact of vulnerability:  Privilege elevation

Maximum Severity Rating:  Important

Recommendation:  Customers should install the patch at the earliest opportunity.

End User Bulletin:  An end user version of this bulletin is available at:

https:

Affected Software:

  • Microsoft Windows 2000

Not Affected Software:

  • Microsoft Windows Me
  • Microsoft Windows NT Workstation 4.0
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Server 4.0, Terminal Services Edition
  • Microsoft Windows XP
  • Microsoft Windows Server 2003

General Information

Technical details

Technical description:

Subsequent to the original release of this bulletin Microsoft extended the support of Windows NT Workstation 4.0 and Windows 2000 Service Pack 2. A security update is now available from Microsoft Product Support Services for customers running Windows 2000 Service Pack 2. Contact Microsoft Product Support Services to obtain this additional security update.

Microsoft Windows 2000 contains support for Accessibility options within the operating system. Accessibility support is a series of assistive technologies within Windows that allow users with disabilities to still be able to access the functions of the operating system. Accessibility support is enabled or disabled through shortcuts built into the operating system, or through the Accessibility Utility Manager. Utility Manager is an accessibility utility that allows users to check the status of accessibility programs (Microsoft Magnifier, Narrator, On-Screen Keyboard) and to start or stop them.

There is a flaw in the way that Utility Manager handles Windows messages. Windows messages provide a way for interactive processes to react to user events (for example, keystrokes or mouse movements) and communicate with other interactive processes. A security vulnerability results because the control that provides the list of accessibility options to the user does not properly validate Windows messages sent to it. It's possible for one process in the interactive desktop to use a specific Windows message to cause the Utility Manager process to execute a callback function at the address of its choice. Because the Utility Manager process runs at higher privileges than the first process, this would provide the first process with a way of exercising those higher privileges.

By default, the Utility Manager contains controls that run in the interactive desktop with Local System privileges. As a result, an attacker who had the ability to log on to a system interactively could potentially run a program that could send a specially crafted Windows message upon the Utility Manager process, causing it to take any action the attacker specified. This would give the attacker complete control over the system.

The attack cannot be exploited remotely, and the attacker would have to have the ability to interactively log on to the system.

Mitigating factors:

  • An attacker would need valid logon credentials to exploit the vulnerability. It could not be exploited remotely.
  • Properly secured servers would be at little risk from this vulnerability. Standard best practices recommend only allowing trusted administrators to log on to such systems interactively; without such privileges, an attacker could not exploit the vulnerability.

Severity Rating:

Windows 2000 Important

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0350

Tested Versions:

Microsoft tested Windows Me, Windows NT Workstation 4.0, Windows NT Server 4.0, Windows NT Server 4.0 Terminal Server Edition, Windows 2000, Windows XP, and Windows Server 2003 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

Why has Microsoft issued new security update for Windows 2000 Service Pack 2?
Subsequent to the original release of this bulletin Microsoft extended the support of Windows NT Workstation 4.0 and Windows 2000 Service Pack 2. A security update is now available from Microsoft Product Support Services for customers running Windows 2000 Service Pack 2. Contact Microsoft Product Support Services to obtain this additional security update.

What's the scope of the vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully exploited this vulnerability could gain unwarranted privileges on a system. In this case, the attacker could gain full administrative privileges, thereby gaining the ability to take any action they want on the machine, such as adding, deleting, or modifying data on the system, creating or deleting user accounts, and adding accounts to the local administrators group. The vulnerability could only be exploited by an attacker who had credentials to log on to the computer interactively. Best practices suggest that unprivileged users not be allowed to interactively log on to business-critical servers; if this guidance has been followed, such servers would not be at risk from this vulnerability. Instead, the systems primarily at risk would be workstations and terminal servers.

What causes the vulnerability?
The vulnerability results because it is possible for an unprivileged user to cause code to be executed by a highly privileged process on the interactive desktop using Utility Manager in combination with a specially crafted Windows message.

What are Accessibility utilities?
Microsoft recognizes its responsibility to develop technology that is accessible and usable to everyone, including those with disabilities. Therefore all Microsoft products are designed with functionality and utilities to assist in enabling those with disabilities to use the features of the products. These utilities are known as Accessibility utilities. Windows 2000 contains several utilities and technologies to provide accessibility within the product. A detailed list of these utilities can be found at: </https:>https:

Where does Microsoft document the available Accessibility options in its products?
More information on accessibility options within Microsoft Products can be found at the Microsoft Accessibility Web site at: </https:>https:

What is the Utility Manager?
Utility Manager is an accessibility utility that allows users to check the status of accessibility programs (Microsoft Magnifier, Narrator, On-Screen Keyboard) and to start or stop them.

What do you mean by a "desktop"?
Normally, when we refer to a "desktop" we mean the Windows desktop created by Explorer that you see on your screen during a Windows session. However, in the Windows security architecture, the term "desktop" actually has a different meaning. Desktops are used to encapsulate windows and related objects in Windows in order to ensure that a process is properly restricted to only authorized activities. It's easier to explain what a desktop is and how it works if we start with the layer of granularity above the desktop, the windowsstation.

What's a windowstation?
A windowstation is a container that contains a clipboard, some global information, and a set of one or more desktops. The interactive windowstation assigned to the logon session of the interactive user also contains the keyboard, mouse, and display device. The interactive windowstation is visible to the user and can receive input from the user. All other windowstations are noninteractive, which means that they can't be made visible to the user and can't receive user input. A process can be associated with only one desktop at a time.

What's an interactive desktop?
A desktop is a container object that is contained within a window station. There may be many desktops contained within a windowsstation. A desktop has a logical display surface and contains windows, menus, and hooks. Only the desktops of the interactive window station can be visible and receive user input. On the interactive windowstation, only one desktop at a time is active. This active desktop, also referred to as the interactive desktop or input desktop, is the one that is currently visible to the user and that receives user input.

What are Windows messages?
Processes running on Windows interact with the system and other processes using messages. For instance, each time the user hits a key on the keyboard, moves the mouse, or clicks a control such as a scroll bar, Windows generates a message, the purpose of which is to alert the program that a user event has occurred, and deliver the data from that event to the program. Similarly, a program can generate messages as a way of allowing the various windows it controls to communicate with and task each other.

What's wrong with the way Windows messages are handled by the Windows 2000 Utility Manager?
The flaw actually lies in the way Utility Manager handles messages when presenting the list of available accessibility functions to the user. Utility Manager does not properly validate Windows messages sent to it. If Utility Manager is running on the system, it's possible for another process running on the system to send a specially crafted message to the Utility Manager process in the interactive desktop. The first process could set the address of the callback function, with the result being that the second process would execute the callback function specified by the first.

Why does this pose a security vulnerability?
Essentially, the flaw in Utility Manager would provide a way for one process on the interactive desktop to cause the Utility Manager to do its bidding. If the second process had higher privileges, this would provide a way for the first to exercise them.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited the vulnerability could first start Utility Manager, then could create a process that would levy requests upon the Utility Manager once it was running. In default configurations of Windows 2000, Utility Manager is installed but not running. Exploiting the vulnerability in such a case would enable the attacker to gain complete control over the system.

Who could exploit the vulnerability?
To exploit the vulnerability, the attacker would need the ability to log on to the system, start Utility Manager, load a program of his or her choice (one that sent a message to Utility Manager and specified a callback function that would perform some desired task), and run it.

What versions of the Utility Manager are vulnerable to this attack?
Only the Windows 2000 version of Utility Manager contains the vulnerability. Windows NT Workstation 4.0, Windows NT Server 4.0, Windows NT Server 4.0 Terminal Server Edition, Windows XP, and Windows Server 2003 are not affected.

What systems are primarily at risk from the vulnerability?
In general, workstations and terminal servers would be mainly at risk. Servers would only be at risk if unprivileged users had been given the ability to log on to them and run programs, but best practices strongly discourage allowing this. Could the vulnerability be exploited from the Internet? No. The attacker would need the ability to log on to the specific system he or she wished to attack. There is no capability to load and run a program in the interactive desktop remotely. What does the patch do? The patch addresses the vulnerability by changing the handling of Windows messages by the Utility Manager so that messages are properly validated and that an unregistered callback function cannot be called.

Patch availability

Download locations for this patch

Additional information about this patch

Installation platforms:

The Windows 2000 patch can be installed on systems running Windows 2000 Service Pack 3. In addition, the fix for this issue is included in Windows 2000 Service Pack 4.

Note Customers running Windows 2000 Service Pack 2 should contact Microsoft Product Support Services to obtain this additional security update.

Inclusion in future service packs:

The fix for this issue is included in Windows 2000 Service Pack 4.

Reboot needed: Yes

Patch can be uninstalled: Yes

Superseded patches: None.

Verifying patch installation:

  • Windows 2000:

    To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\KB822679

    To verify the individual files, use the date/time and version information provided in the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\KB822679\Filelist

Caveats:

None

Localization:

Localized versions of this patch are available at the locations discussed in "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

  • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
  • Patches for consumer platforms are available from the WindowsUpdate web site

Other information:

Acknowledgments

Microsoft thanks Chris Paget of Next Generation Security Software Ltd. for reporting this issue to us and working with us to protect customers.

Support:

  • Microsoft Knowledge Base article 822679 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
  • Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (July 9, 2003): Bulletin Created.
  • V1.1 July 10, 2003: Corrected patch verification registry keys.
  • V1.2 April 13, 2004: Added FAQ to inform customers about the availability of a security update for Windows 2000 Service Pack 2.

Built at 2014-04-18T13:49:36Z-07:00 </https:>