From: Microsoft Product Security (secnotif@MICROSOFT.COM)
Date: Jun 25 2001 
--------------------------------------------------------------------------------


The following is a Security Bulletin from the Microsoft Product Security 
Notification Service. 


Please do not reply to this message, as it was sent from an unattended 
mailbox. 
                    ******************************** 


-----BEGIN PGP SIGNED MESSAGE----- 


- ---------------------------------------------------------------------- 
Title: Function Exposed via LDAP over SSL Could Enable 
            Passwords to be Changed 
Date: 25 June 2001 
Software: Windows 2000 
Impact: Privilege Elevation 
Bulletin: MS01-036 


Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS01-036.asp. 
- ---------------------------------------------------------------------- 


Issue: 
====== 
This vulnerability involves an LDAP function that is only available 
if 
the LDAP server has been configured to support LDAP over SSL 
sessions, 
and whose purpose is to allow users to change the data attributes of 
directory principals. By design, the function should check the 
authorizations of the user before completing the request; however, it 
contains an error that manifests itself only when the directory 
principal is a domain user and the data attribute is the domain 
password -- when this is the case, the function fails to check the 
permissions of the requester, with the result that it could be 
possible 
for a user to change any other user's domain login password. 


An attacker could change another user's password for either of two 
purposes: to cause a denial of service by preventing the other user 
from logging on, or in order to log into the user's account and gain 
any privileges the user had. Clearly, the most serious case would be 
one in which the attacker changed a domain administrator's password 
and 
logged into the administrator's account. 


By design, the function affected can be called by any user who can 
connect to the LDAP server, including users who connect via anonymous 
sessions. As a result, any user who could establish a connection with 
an affected server could exploit the vulnerability. 


Mitigating Factors: 
==================== 
 - LDAP over SSL sessions cannot be conducted unless the 
   administrator has installed a digital certificate on the LDAP 
   server. As a result, default installations of Windows 2000 
   are not affected by this vulnerability. 
 - If the firewall is configured to block tcp port 636, the 
   vulnerability could not be exploited by outside users. 
 - This vulnerability could not be used to change the password 
   of local user accounts on individual machines. 


Patch Availability: 
=================== 
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin 
   http://www.microsoft.com/technet/security/bulletin/ms01-036.asp 
   for information on obtaining this patch. 


Acknowledgment: 
=============== 
 - Jon McDonald (http://www.entrigue.net) 
 - Russ Cooper (http://www.ntbugtraq.com) 


- --------------------------------------------------------------------- 


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED 
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF 
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT 
SHALL 
MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES 
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, 
LOSS 
OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION 
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH 
DAMAGES. 
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR 
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY 
NOT 
APPLY. 




-----BEGIN PGP SIGNATURE----- 
Version: PGP Personal Privacy 6.5.3 


iQEVAwUBOzfaRo0ZSRQxA/UrAQE22gf/W+GD69o8ARA8tPFFJ1hEEa+ISUCqzsad 
KCozn4q15zGvZZnM4INxaiD5tPZKkJWIyx8+w5V4AdgTJDLF2YW8ADdk7Dpt1gk9 
bOMkr9ipsX5qP5eD3c2cOj+kIQUKQ4Ql5UOW2l6HvrRZUXHyL9sHPpK1+1vwej2z 
E9/x0VTDDKu3uc3KTHFFTVbgIfibT4z3zcZUDC0omH8oU+3eNjYwn343ATd+LXMx 
Hpsrhrq/gvZc98FYEOW0Re9kHoGuLkDWqdtz63xOxziHjliASPpxsxmJ71bAx0v4 
bVuQYQQ+AZklgYwzYDkCfciTfOjjRvi82whlzMDur/t6UtwW3Fe1Zg== 
=QExj 
-----END PGP SIGNATURE----- 


   ******************************************************************* 
You have received this e-mail bulletin as a result of your registration 
to the Microsoft Product Security Notification Service. You may 
unsubscribe from this e-mail notification service at any time by sending 
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM 
The subject line and message body are not used in processing the request, 
and can be anything you like. 


To verify the digital signature on this bulletin, please download our PGP 
key at http://www.microsoft.com/technet/security/notify.asp. 


For more information on the Microsoft Security Notification Service 
please visit http://www.microsoft.com/technet/security/notify.asp. For 
security-related information about Microsoft products, please visit the 
Microsoft Security Advisor web site at http://www.microsoft.com/security. 


_____________________________________________________________________ 
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" 
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" 
SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net