COMMAND

    IOCTLs

SYSTEMS AFFECTED

    WinNT

PROBLEM

    Following is  based on  Microsoft Security  Bulletin.   The IOCTLs
    that  are  used  to  obtain  services  from the keyboard and mouse
    drivers in  Windows NT  do not  require that  the calling  program
    have administrative  privileges.   A user-level  program could use
    legitimate calls to  disable the mouse  and keyboard, after  which
    the machine would need to  be rebooted to restore normal  service.
    On a terminal  server, such a  program could disable  the keyboard
    and mouse on the console.

    The vulnerability could allow denial of service attacks against  a
    Windows NT  machine by  enabling a  malicious user  to disable the
    mouse and  keyboard.   The machine  would need  to be  rebooted to
    restore  the  mouse  and  keyboard.   This  vulnerability does not
    allow any data to be compromised, nor does it allow any  elevation
    of privileges.  Why is this vulnerability called the  "Unprotected
    IOCTL"  vulnerability?   First,  let's  explain  what an IOCTL is.
    Windows  NT  provides  the  ability  for  applications to directly
    request services of device  drivers.  The interface  through which
    this is done is  called an Input Output  Control, or IOCTL.   Like
    all operating  system services,  some IOCTLs  are appropriate  for
    normal users to use and  others should be reserved for  privileged
    users only.   The root problem  in this vulnerability  is that the
    IOCTLs  for  the  mouse  and  keyboard  are  unprotected-that  is,
    available for use by normal  users-when they should not be.   This
    doesn't sound so bad. Why  is this a security vulnerability?   For
    workstations and servers,  this poses a  denial of service  threat
    because the mouse  and keyboard are  not returned to  service when
    the user logs  off.  For  example, if a  kiosk workstation allowed
    users to  run arbitrary  programs, or  if a  server allowed normal
    users  to  log  on  interactively  and  run  arbitrary programs, a
    malicious user  could disable  the machine's  keyboard and  mouse,
    thereby preventing the machine's  use until it had  been rebooted.
    It's  worth  noting  that  normal  security  practices   recommend
    against allowing either of  these situations - kiosk  workstations
    should restrict users to  running only approved applications,  and
    servers  should  generally  allow  only  administrators  to log on
    interactively.  For terminal  servers, a malicious user  could use
    this vulnerability to disable not  only the keyboard and mouse  on
    the local machine, but also  those on the console. This  would not
    interfere with any  of the ongoing  terminal server sessions,  but
    the  server  would  need  to  be  rebooted in order to restore the
    console's mouse and keyboard.

SOLUTION

    Patch Availability:

      Windows NT Server and Workstation 4.0:
        ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/Hotfixes-PostSP5/IOCTL-fix/

      Windows NT Server 4.0, Terminal Server Edition:
        ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40tse/Hotfixes-PostSP4/IOCTL-fix/