COMMAND
GINA (RegAPI.DLL)
SYSTEMS AFFECTED
NT 4.0 Terminal Server
PROBLEM
Following is based on a CORE SDI Vulnerability Report
CORE-20001108. GINA stands for Graphical Identification and
Authorization and describes an interface for the validation of
logon credentials. The default implementation is MSGINA.DLL.
The MSGINA.DLL in Microsoft Windows 4.0 is responsable of
performing the authentication policy of the interactive logon
model, and is expected to perform all identification and
authentication user interactions.
Microsoft Windows NT 4.0 Terminal Server ships with a remotely
and locally exploitable buffer overflow in a Dinamically Linked
Library (RegAPI.DLL) that MSGINA.DLL uses.
It could be exploited by entering a long string in the username
field. This buffer overflow when being triggered will result in
a system crash (if triggered locally) or a connection drop (if
triggered remotely).
By providing a specially crafted username an attacker has the
ability to obtain access to the Terminal Server and execute
arbitrary commands as user SYSTEM.
This vulnerability was discovered by Bruno Acselrad of CORE SDI.
So, Windows NT 4.0 Terminal Server has a remote and locally
exploitable buffer overflow in the GINA subsystem. Entering a
long username in the username edit box will make the system crash
(if done locally) or drop the connection (if done remotely). The
problem occurs when MSGINA.DLL calls the ReUserConfigQuery()
function in RegAPI.DLL.
Within that function wscpy() is first called and then wscat()
appends to a local variable of fixed lenght a fixed key and the
username string.
This local variable can be overflowed resulting in the execution
of arbitrary commands on the vulnerable host.
SOLUTION
Patch availability:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25565