MS01-036: Function Exposed By Using LDAP over SSL Could Enable Passwords to Be Changed

This article was previously published under Q299687
This article has been archived. It is offered "as is" and will no longer be updated.
Microsoft has released a patch that eliminates a security vulnerability in a component that is a part of Windows 2000 Service Pack 2 (SP2). This vulnerability involves a Lightweight Directory Access Protocol (LDAP) function that is only available if the LDAP server has been configured to support secure LDAP over Secure Sockets Layer (SSL) sessions, and whose purpose is to allow users to change the data attributes of directory principals. By design, the function should check the authorizations of the user before completing the request. However, it contains an error that manifests itself only when the directory principal is a domain user and the data attribute is the domain password. When this is the case, the function fails to check the permissions of the requester, with the result that it could be possible for a user to change any other user's domain login password.

An attacker could change another user's password for either of two purposes. To cause a denial of service by preventing the other user from logging on, or to log into the user's account and gain any privileges the user had. Clearly, the most serious case would be one in which the attacker changed a domain administrator's password and logged into the administrator's account.

By design, the function affected can be called by any user who can connect to the LDAP server, including users who connect by using anonymous sessions. As a result, any user who could establish a connection with an affected server could exploit the vulnerability.
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in theMicrosoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
The English version of this fix should have the following file attributes or later:
   Date        Time     Version        Size        File name   -------------------------------------------------------------------------   6/13/2001   05:32p   5.0.2195.3738   501,520   Lsasrv.dll(56-bit)   6/21/2001   12:23a   5.0.2195.3737   355,088   Advapi32.dll   6/21/2001   12:19a   5.0.2195.3738   519,440   Instlsa5.dll   6/21/2001   12:23a   5.0.2195.3738   142,608   Kdcsvc.dll   6/13/2001   05:43p   5.0.2195.3738   209,008   Kerberos.dll   5/29/2001   09:26a   5.0.2195.3649    69,456   Ksecdd.sys   6/13/2001   05:32p   5.0.2195.3738   501,520   Lsasrv.dll   6/13/2001   05:32p   5.0.2195.3738    33,552   Lsass.exe   6/21/2001   12:23a   5.0.2195.3758   909,072   Ntdsa.dll   6/21/2001   12:23a   5.0.2195.3762   382,224   Samsrv.dll   5/29/2001   09:53a   5.0.2195.3649   128,784   Scecli.dll   5/30/2001   02:19a   5.0.2195.3649   299,792   Scesrv.dll 				

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Windows 2000. This problem was first corrected in Windows 2000 Service Pack 3.
For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:
265173 The Datacenter Program and Windows 2000 Datacenter Server Product
For additional information about how to install multiple hotfixes with only one reboot, click the article number below to view the article in the Microsoft Knowledge Base:
296861 Use QChain.exe to Install Multiple Hotfixes with One Reboot
security_patch kbWin2000srp1 kbsecvulnerability kbsechack

Article ID: 299687 - Last Review: 10/23/2013 20:04:04 - Revision: 3.4

Microsoft Windows 2000 Service Pack 1, Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Advanced Server, Microsoft Windows 2000 Advanced Server

  • kbnosurvey kbarchive kbproductlink kbhotfixserver kbqfe kbbug kbenv kbfix kbsecurity kbwin2000presp3fix kbwin2000sp3fix KB299687