
             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

          Microsoft Vulnerability in POSIX Could Allow Code Execution
                     [Microsoft Security Bulletin MS04-020]

July 14, 2004 17:00 GMT                                           Number O-181
[REVISED 10 Aug 2004]
______________________________________________________________________________
PROBLEM:       An unchecked buffer vulnerability exists in the Portable 
               Operating System Interface for UNIX (POSIX) operating system 
               component (subsystem). POSIX provides support for nonnative 
               applications by emulating the environment in which it was 
               designed to be processed. 
PLATFORM:      Microsoft Windows NT Workstation 4.0 Service Pack 6a 
               Microsoft Windows NT Server 4.0 Service Pack 6a Microsoft 
               Windows NT Server 4.0 Terminal Server Edition Service Pack 
               Microsoft Windows 2000 Service Pack 2 
               Microsoft Windows 2000 Service Pack 3 
               Microsoft Windows 2000 Service Pack 4 
               Microsoft INTERIX 2.2
DAMAGE:        An attacker who logs on to a local system that has POSIX 
               subsystem enabled may take complete control of an affected 
               system, including installing programs; viewing, changing or 
               deleting data; or creating new accounts that have full 
               privileges. 
SOLUTION:      Install the security update. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. A local attacker could gain root 
ASSESSMENT:    privileges. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/o-181.shtml 
 ORIGINAL BULLETIN:  http://www.microsoft.com/technet/security/bulletin/
                       ms04-020.mspx 
 CVE/CAN:            http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= 
                     CAN-2004-0210 
______________________________________________________________________________
REVISION HISTORY:
08/10/04 - added INTERIX 2.2 to Affected Software section of Microsoft Security 
           Bulletin MS04-020. 

[***** Start Microsoft Security Bulletin MS04-020 *****]

Microsoft Security Bulletin MS04-020
Vulnerability in POSIX Could Allow Code Execution (841872)

Issued: July 13, 2004
Updated: August 10, 2004
Version: 2.0
Summary

Who should read this document: Customers who use Microsoft® Windows® 2000 or Windows NT 4.0

Impact of Vulnerability: Local Elevation of Privilege

Maximum Severity Rating: Important

Recommendation: Customers should install the update at the earliest opportunity.

Security Update Replacement: None

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software:

• Microsoft INTERIX® 2.2 – Download the update

• Microsoft Windows NT® Workstation 4.0 Service Pack 6a – Download the update
 
• Microsoft Windows NT Server 4.0 Service Pack 6a – Download the update
 
• Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 
  – Download the update
 
• Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, 
  Microsoft Windows 2000 Service Pack 4 – Download the update
 

Non-Affected Software:

• Microsoft Windows XP and Microsoft Windows XP Service Pack 1
 
• Microsoft Windows XP 64-Bit Edition Service Pack 1
 
• Microsoft Windows XP 64-Bit Edition Version 2003
 
• Microsoft Windows Server™ 2003
 
• Microsoft Windows Server 2003 64-Bit Edition
 
• Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft 
  Windows Millennium Edition (Me)
 

The software in this list has been tested to determine if the versions are 
affected. Other versions either no longer include security update support or 
may not be affected. To determine the support lifecycle for your product and 
version, visit the following Microsoft Support Lifecycle Web site.

Top of section

General Information

 Executive Summary 

Executive Summary:

This update resolves a newly-discovered, privately reported vulnerability. A 
privilege elevation vulnerability exists in the POSIX operating system 
component (subsystem). The vulnerability is documented in the Vulnerability 
Details section of this bulletin.

An attacker who successfully exploited this vulnerability could take complete 
control of an affected system, including installing programs; viewing, 
changing, or deleting data; or creating new accounts that have full privileges.

We recommend that customers install the update at the earliest opportunity.

Severity Ratings and Vulnerability Identifiers:

Vulnerability Identifiers:  POSIX Vulnerability - CAN-2004-0210
Impact of Vulnerability:   Privilege Elevation
 Windows NT 4.0:  Important 
 Windows 2000:  Important
 
This assessment is based on the types of systems that are affected by the 
vulnerability, their typical deployment patterns, and the effect that exploiting 
the vulnerability would have on them.

Top of section
 Frequently asked questions (FAQ) related to this security update 


Top of section
 Vulnerability Details 

 POSIX Vulnerability - CAN-2004-0210 

A privilege elevation vulnerability exists in the POSIX subsystem. This 
vulnerability could allow a logged on user to take complete control of the 
system.

 Mitigating Factors for POSIX Vulnerability - CAN-2004-0210: 

• An attacker must have valid logon credentials and be able to logon locally 
  to exploit this vulnerability. The vulnerability could not be exploited 
  remotely or by anonymous users. 
 
• Windows XP and Windows Server 2003 are not affected by this vulnerability.
 

Top of section
 Workarounds for POSIX Vulnerability - CAN-2004-0210: 

Microsoft has tested the following workarounds. While these workarounds will 
not correct the underlying vulnerability, they help block known attack vectors. 
When a workaround reduces functionality, it is identified below.

• Disable the POSIX subsystem through the registry

This workaround is fully documented in Microsoft Knowledge Base Article 101270. 
This article is summarized in the following paragraphs. 

The following steps demonstrate how to disable the POSIX subsystem. 

Note Using Registry Editor incorrectly can cause serious problems that may 
require you to reinstall your operating system. Microsoft cannot guarantee 
that problems resulting from the incorrect use of Registry Editor can be 
solved. Use Registry Editor at your own risk. 

For information about how to edit the registry, view the "Changing Keys And 
Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and 
Delete Information in the Registry" and "Edit Registry Data" Help topics in 
Regedt32.exe. 

Note We recommend backing up the registry before you edit it.

1. Click Start, click Run, type "regedt32" (without the quotation marks), 
   and then click OK.
 
2. In Registry Editor, locate the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Subsystems\Posix

3. Click the POSIX data value, click Edit, and then click Delete.
 
4. Click OK to confirm the delete, and then restart the system.

Note To enable the POSIX subsystem, re-create the registry key. The name if 
the registry key is Posix, the type of registry key is REG_EXPAND_SZ, and 
the registry key value is %SystemRoot%\system32\psxss.exe. After you have 
done this, restart the system.
 

Impact of Workaround: POSIX programs are disabled until the POSIX subsystem 
is enabled.
 

Top of section
 FAQ for POSIX Vulnerability - CAN-2004-0210: 

Top of section
Top of section
Top of section
 Security Update Information 

Installation Platforms and Prerequisites:

For information about the specific security update for your platform, click 
the appropriate link:

 Windows 2000 (all versions) 

Prerequisites

For Windows 2000, this security update requires Service Pack 2 (SP2), Service 
Pack 3 (SP3), or Service Pack 4 (SP4).

The software that is listed has been tested to determine if the versions are 
affected. Other versions either no longer include security update support 
or may not be affected. To determine the support lifecycle for your product 
and version, visit the Microsoft Support Lifecycle Web site.

For more information about how to obtain the latest service pack, see 
Microsoft Knowledge Base Article 260910.

Inclusion in Future Service Packs:

The update for this issue will be included in Windows 2000 Service Pack 5.

Installation Information

This security update supports the following setup switches:

      /help                 Displays the command line options

Setup Modes

      /quiet                Quiet mode (no user interaction or display)

      /passive            Unattended mode (progress bar only)

      /uninstall          Uninstalls the package

Restart Options 

      /norestart          Do not restart when installation is complete

      /forcerestart      Restart after installation

Special Options 

      /l                 Lists installed Windows hotfixes or update packages

      /o                 Overwrite OEM files without prompting

      /n                 Do not backup files needed for uninstall

      /f                 Force other programs to close when the computer shuts down

      /extract           Extracts files without starting setup 

Note You can combine these switches into one command. For backward compatibility, 
the security update also supports the setup switches that the previous 
version of the setup utility uses. For more information about the supported 
installation switches, see Microsoft Knowledge Base Article 262841.

Deployment Information

To install the security update without any user intervention, use the following 
command at a command prompt for Windows 2000 Service Pack 2, Windows 2000 
Service Pack 3, and Windows 2000 Service Pack 4:

Windows2000-kb841872-x86-enu /passive /quiet

To install the security update without forcing the system to restart, use 
the following command at a command prompt for Windows 2000 Service Pack 2, 
Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4:

Windows2000-kb841872-x86-enu /norestart

For more information about how to deploy this security update with Software 
Update Services, visit the Software Update Services Web site.

Restart Requirement

In some cases, this update does not require a restart. The installer stops 
the required services, applies the update, and then restarts the services. 
However, if the required services cannot be stopped for any reason or if 
required files are in use, this update will require a restart. If this 
occurs, a message appears that advises you to restart.

Removal Information

To remove this security update, use the Add or Remove Programs tool in 
Control Panel.

System administrators can also use the Spuninst.exe utility to remove 
this security update. The Spuninst.exe utility is located in the %Windir%\
$NTUninstallKB841872$\Spuninst folder. The Spuninst.exe utility supports 
the following setup switches:

/?: Show the list of installation switches. 

/u: Use unattended mode. 

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete. 

/q: Use Quiet mode (no user interaction). 

File Information

The English version of this update has the file attributes (or later) that 
are listed in the following table. The dates and times for these files are 
listed in coordinated universal time (UTC). When you view the file 
information, it is converted to local time. To find the difference between 
UTC and local time, use the Time Zone tab in the Date and Time tool in 
Control Panel.

Note Date, time, file name, or size information could change during 
installation. Refer to the Verifying Update Installation section for 
details on verifying an installation.

Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 
2000 Service Pack 4:

Date         Time   Version        Size     File name
------------------------------------------------------
16-May-2004  19:32  5.0.2195.6929  90,384   Psxss.exe

Verifying Update Installation 

• Microsoft Baseline Security Analyzer

To verify that a security update is installed on an affected system, 
you may be able to use the Microsoft Baseline Security Analyzer (MBSA) 
tool. This tool allows administrators to scan local and remote systems 
for missing security updates and for common security misconfigurations. 
For more information about MBSA, visit the Microsoft Baseline Security 
Analyzer Web site.
 
• File Version Verification

Note Because there are several versions of Microsoft Windows, the following 
steps may be different on your computer. If they are, see your product 
documentation to complete these steps.

1. Click Start, and then click Search.
 
2. In the Search Results pane, click All files and folders under Search 
   Companion.
 
3. In the All or part of the file name box, type a file name from the 
   appropriate file information table, and then click Search.
 
4. In the list of files, right-click a file name from the appropriate 
   file information table, and then click Properties. 

Note Depending on the version of the operating system or programs installed, 
some of the files that are listed in the file information table may not be 
installed.
 
5. On the Version tab, determine the version of the file that is installed 
on your computer by comparing it to the version that is documented in the 
appropriate file information table.

Note Attributes other than file version may change during installation. 
Comparing other file attributes to the information in the file information 
table is not a supported method of verifying the update installation. 
Also, in certain cases, files may be renamed during installation. If the 
file or version information is not present, use one of the other available 
methods to verify update installation.
 
 
• Registry Key Verification

You may also be able to verify the files that this security update has 
installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB841872\Filelist

Note This registry key may not contain a complete list of installed files. 
Also, this registry key may not be created correctly when an administrator 
or an OEM integrates or slipstreams the 841872 security update into the 
Windows installation source files.
 

Top of section

 Windows NT 4.0 (all versions) 

Prerequisites
This security update requires Windows NT Workstation 4.0 Service Pack 6a 
(SP6a), Windows NT Server 4.0 Service Pack 6a (SP6a), or Windows NT Server 
4.0 Terminal Server Edition Service Pack 6 (SP6).

The software that is listed has been tested to determine if the versions 
are affected. Other versions either no longer include security update 
support or may not be affected. To determine the support lifecycle for 
your product and version, visit the following Microsoft Support Lifecycle 
Web site.

For more information about obtaining the latest service pack, see Microsoft 
Knowledge Base Article 152734.

Installation Information

This security update supports the following setup switches:

   /y: Perform removal (only with /m or /q )

   /f: Force programs to quit during the shutdown process 

   /n: Do not create an Uninstall folder

   /z: Do not restart when the update completes

   /q: Use Quiet or Unattended mode with no user interface (this switch is a 
       superset of /m )

   /m: Use Unattended mode with a user interface

   /l: List the installed hotfixes

   /x: Extract the files without running Setup

Note You can combine these switches into one command. For more information 
about the supported installation switches, see Microsoft Knowledge Base 
Article 262841.

Deployment Information

To install the security update without any user intervention, use the 
following command at a command prompt for Windows NT Server 4.0:

Windowsnt4server-kb841872-x86-enu /q

For Windows NT Server 4.0 Terminal Server Edition:

Windowsnt4terminalserver-kb841872-x86-enu /q

For Windows NT Workstation 4.0:

Windowsnt4workstation-kb841872-x86-enu /q

To install the security update without forcing the system to restart, 
use the following command at a command prompt for Windows NT Server 4.0:

Windowsnt4server-kb841872-x86-enu /z

For Windows NT Server 4.0 Terminal Server Edition:

Windowsnt4terminalserver-kb841872-x86-enu /z

For Windows NT Workstation 4.0:

Windowsnt4workstation-kb841872-x86-enu /z

For more information about how to deploy this security update with Software 
Update Services, visit the Software Update Services Web site.

Restart Requirement

In some cases, this update does not require a restart. The installer stops 
the needed services, applies the update, and then restarts the services. 
However, if the required services cannot be stopped for any reason or if 
required files are in use, this update will require a restart. If this 
occurs, a message appears that advises you to restart.

Removal Information

To remove this security update, use the Add/Remove Programs tool in Control 
Panel.

System administrators can also use the Hotfix.exe utility to remove this 
security update. The Hotfix.exe utility is located in the %Windir%\
$NTUninstallKB841872$ folder. The Hotfix.exe utility supports the following 
setup switches:

/y: Perform removal (only with the /m or /q switch)

/f: Force programs to quit during the shutdown process

/n: Do not create an Uninstall folder

/z: Do not restart when the installation is complete

/q: Use Quiet or Unattended mode with no user interface (this switch is a 
    superset of the /m switch)

/m: Use Unattended mode with a user interface 

/l: List the installed hotfixes

File Information

The English version of this update has the file attributes (or later) that 
are listed in the following table. The dates and times for these files are 
listed in coordinated universal time (UTC). When you view the file information, 
it is converted to local time. To find the difference between UTC and local 
time, use the Time Zone tab in the Date and Time tool in Control Panel.

Note Date, time, filename, or size information could change during installation. 
Refer to the Verifying Update Installation section for details on verifying 
an installation.

Windows NT Workstation 4.0 and Windows NT Server 4.0:

Date         Time   Version        Size     File name
------------------------------------------------------
20-May-2004  15:04  4.0.1381.7269  93,968  Psxss.exe

Windows NT Server 4.0 Terminal Server Edition:

Date         Time   Version         Size     File name
-------------------------------------------------------
21-May-2004  13:31  4.0.1381.33567  94,480   Psxss.exe

Verifying Update Installation 

• Microsoft Baseline Security Analyzer

To verify that a security update is installed on an affected system, you may 
be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. This 
tool allows administrators to scan local and remote systems for missing security 
updates and for common security misconfigurations. For more information about 
MBSA, visit the Microsoft Baseline Security Analyzer Web site.
 
• File Version Verification

Note Because there are several versions of Microsoft Windows, the following 
steps may be different on your computer. If they are, see your product 
documentation to complete these steps.

1. Click Start, and then click Search.
 
2. In the Search Results pane, click All files and folders under Search 
   Companion.
 
3. In the All or part of the file name box, type a file name from the appropriate 
   file information table, and then click Search.
 
4. In the list of files, right-click a file name from the appropriate file 
   information table, and then click Properties. 

Note Depending on the version of the operating system or programs installed, 
some of the files that are listed in the file information table may not be 
installed.
 
5. On the Version tab, determine the version of the file that is installed 
on your computer by comparing it to the version that is documented in the 
appropriate file information table.

Note Attributes other than file version may change during installation. 
Comparing other file attributes to the information in the file information 
table is not a supported method of verifying the update installation. 
Also, in certain cases, files may be renamed during installation. If the 
file or version information is not present, use one of the other available 
methods to verify update installation.
 
 
• Registry Key Verification

You may also be able to verify the files that this security update has 
installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\
KB841872\File 1

Note This registry key may not contain a complete list of installed files. 
Also, this registry key may not be created correctly when an administrator 
or an OEM integrates or slipstreams the 841872 security update into the 
Windows installation source files.
 

Top of section
Top of section

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

• Rafal Wojtczuk working with McAfee for reporting the POSIX Vulnerability 
(CAN-2004-0210).
 

Obtaining Other Security Updates:

Updates for other security issues are available from the following locations:

• Security updates are available from the Microsoft Download Center: You 
can find them most easily by doing a keyword search for "security_patch".
 
• Updates for consumer platforms are available from the Windows Update Web site. 
 

Support: 

• Customers in the U.S. and Canada can receive technical support from 
Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge 
for support calls that are associated with security updates.
 
• International customers can receive support from their local Microsoft 
subsidiaries. There is no charge for support that is associated with 
security updates. For more information about how to contact Microsoft for 
support issues, visit the International Support Web site.
 

Security Resources: 

• The Microsoft TechNet Security Web site provides additional information 
about security in Microsoft products. 
 
• Microsoft Software Update Services
 
• Microsoft Baseline Security Analyzer (MBSA) 
 
• Windows Update 
 
• Windows Update Catalog: For more information about the Windows Update 
Catalog, see Microsoft Knowledge Base Article 323166.
 
• Office Update 
 

Software Update Services:

By using Microsoft Software Update Services (SUS), administrators can 
quickly and reliably deploy the latest critical updates and security 
updates to Windows 2000 and Windows Server 2003-based servers, and to 
desktop systems that are running Windows 2000 Professional or Windows 
XP Professional.

For more information about how to deploy this security update with 
Software Update Services, visit the Software Update Services Web site. 

Systems Management Server:

Microsoft Systems Management Server (SMS) delivers a highly-configurable 
enterprise solution for managing updates. By using SMS, administrators 
can identify Windows-based systems that require security updates and to 
perform controlled deployment of these updates throughout the 
enterprise with minimal disruption to end users. For more information 
about how administrators can use SMS 2003 to deploy security updates, 
see the SMS 2003 Security Patch Management Web site. SMS 2.0 users 
can also use Software Updates Service Feature Pack to help deploy 
security updates. For information about SMS, visit the SMS Web site.

Note SMS uses the Microsoft Baseline Security Analyzer and the Microsoft 
Office Detection Tool to provide broad support for security bulletin 
update detection and deployment. Some software updates may not be 
detected by these tools. Administrators can use the inventory capabilities 
of the SMS in these cases to target updates to specific systems. For 
more information about this procedure, see the following Web site. 
Some security updates require administrative rights following a restart 
of the system. Administrators can use the Elevated Rights Deployment 
Tool (available in the SMS 2003 Administration Feature Pack and in the 
SMS 2.0 Administration Feature Pack) to install these updates.

Disclaimer: 

The information provided in the Microsoft Knowledge Base is provided 
"as is" without warranty of any kind. Microsoft disclaims all warranties, 
either express or implied, including the warranties of merchantability 
and fitness for a particular purpose. In no event shall Microsoft 
Corporation or its suppliers be liable for any damages whatsoever 
including direct, indirect, incidental, consequential, loss of business 
profits or special damages, even if Microsoft Corporation or its 
suppliers have been advised of the possibility of such damages. 
Some states do not allow the exclusion or limitation of liability 
for consequential or incidental damages so the foregoing limitation 
may not apply.

Revisions: 

• V1.0 (July 13, 2004): Bulletin published

• V2.0 (August 10, 2004): Updated to reflect an additional affected product - Microsoft INTERIX 2.2
 

[***** End Microsoft Security Bulletin MS04-020 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft Corporation for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

O-171: Hewlett Packard OpenSSL Potential Vulnerabilities
O-172: Sun Solaris 9 Patches
O-173: Debian Webmin Vulnerabilities
O-174: Ethereal Multiple Problems in 0.10.4
O-175: 'shell:' Protocol Security Issue
O-176: Adobe Acrobat and Adobe Reader Filename Handler Buffer Overflow
O-177: Multiple Vulnerabilities in ISC DHCP 3
O-178: Vulnerability in Task Scheduler Could Allow Code Execution
O-179: Microsoft Update for IIS 4.0 (841373)
O-180: Microsoft Utility Manager Vulnerability