• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Microsoft Windows 2000 Unauthorized Password Change Vulnerability

Severity: MODERATE

Description:

'NetUserChangePassword' is a security function used in a Windows 2000 network environment. By default the Active Control List only allows administrators and account operators to call this function. The 'NetuserChangePassword' function is invoked when an authorized user attempts to change a network password.

Due to a flaw in Windows 2000's implementation of the 'NetuserChangePassword' function, it is possible for a normal user to change network passwords. Attempting to change the domain password of any user via the Windows Security interface (Windows Security interface appears when using Ctrl-Alt-Del), can be achieved via password guessing or brute force techniques.

Depending on network security settings, after a number of change password failures the account could lock up.
This account lock up security feature could be invoked specifically, when a user fails to specify the correct old password.

Successful exploitation of this vulnerability could lead to a denial of service for the victim user, and possibly lead to a complete compromise of the host.

Affected Products:

• Avaya DefinityOne Media Servers
• Avaya IP600 Media Servers
• Avaya S3400 Message Application Server
• Avaya S8100 Media Servers
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Advanced Server SP1
• Microsoft Windows 2000 Advanced Server SP2
• Microsoft Windows 2000 Datacenter Server
• Microsoft Windows 2000 Datacenter Server SP1
• Microsoft Windows 2000 Datacenter Server SP2
• Microsoft Windows 2000 Professional
• Microsoft Windows 2000 Professional SP1
• Microsoft Windows 2000 Professional SP2
• Microsoft Windows 2000 Server
• Microsoft Windows 2000 Server SP1
• Microsoft Windows 2000 Server SP2
• Microsoft Windows 2000 Terminal Services
• Microsoft Windows 2000 Terminal Services SP1
• Microsoft Windows 2000 Terminal Services SP2

References:

• Alberto Aragones <quimeras@QUIMERAS.COM>: Changing NT/2000 accounts password from the command line
• Russ <Russ.Cooper@RC.ON.CA>: Re: Changing NT/2000 accounts password from the command line

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.