| VID |
26006 |
| Severity |
40 |
| Port |
139 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The hotfix (Q320206) for the 'Authentication Flaw in Windows Debugger' has not been applied.
A vulnerability has been reported in Microsoft Windows 2000 and NT 4 which could allow a user to gain SYSTEM level privileges on the local host.
The Windows debugging facility provides a means for programs to perform diagnostic and analytic functions on applications as they are running on the operating system. One of these capabilities allows for a program, usually a debugger, to connect to any running program, and to take control of it. The program can then issue commands to the controlled program, including the ability to start other programs. These commands would then execute in the same security context as the controlled program.
There is a flaw in the authentication mechanism for the debugging facility such that an unauthorized program can gain access to the debugger. A vulnerability results because an attacker can use this to cause a running program to run a program of her choice. She could take any action on the system including deleting data, adding accounts with administrative access, or reconfiguring the system.
05/06/2002 - There have been reports of a mass mailing worm that exploits this vulnerability using the proof of concept exploit.
* Note: This check requires an account with Guest or upper privileges which can access the registry of the remote host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://online.securityfocus.com/bid/4287
http://www.microsoft.com/technet/security/bulletin/ms02-024.asp
* Platforms Affected:
Windows NT 4.0
Windows NT 4.0 Server, Terminal Server Edition
Windows 2000: All Versions |
| Recommendation |
Apply the appropriate patch for your system at the following locations:
Windows NT 4.0:
http://www.microsoft.com/ntserver/nts/downloads/security/q320206/default.asp
Windows NT 4.0 Terminal Server Edition:
http://www.microsoft.com/ntserver/terminalserver/downloads/security/Q320206/default.asp
Windows 2000:
http://www.microsoft.com/windows2000/downloads/security/q320206/default.asp |
| Related URL |
CVE-2002-0367 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
