RV: Windows NT Remote Exploit

Quimeras (quimerasTELELINE.ES)
Sun, 15 Sep 2002 19:28:57 +0200

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Boren, Rich: "(I) UPDATE - PFCUser Account, Compaq Management Agents for server s for Microsoft windows NT"
• Previous message: Russ: "Alert: Exploit of RASMAN service key escalates privileges"

I don't know if this is known, but I think there is a very dangerous bug in the Remote Access Service Manager. This is not a buffer overflow, I think this is a very serious bug.

Systems affected: Windows NT Server & Workstation, SP3, SP4, SP5 with Remote Access Service Manager (RasMan) installed (RRAS is also affected). Not tested on W2K.

Risk: A network unprivileged user can gain admin privileges.
 

DESCRIPTION
----------------------

Any domain user can enumerate services in any domain machine:
 
SC_HANDLE hSCM = OpenSCManager(machinename, NULL, SC_MANAGER_ENUMERATE_SERVICE);

So you can open a handle to the Service Control Manager, the bug is that with this handle you can obtain full access to the RasMan service:

SC_HANDLE hService = OpenService(hSCM, _TEXT("RasMan"), SERVICE_ALL_ACCESS);
 
Now you can change RasMan configuration, for example the binary path name, and run a malicious service with System privileges.
 
For a demonstration exploit visit: http://www.teleline.es/personal/quimeras/ntsu

• Next message: Boren, Rich: "(I) UPDATE - PFCUser Account, Compaq Management Agents for server s for Microsoft windows NT"
• Previous message: Russ: "Alert: Exploit of RASMAN service key escalates privileges"

This archive was generated by hypermail 2.0b3 on Fri Sep 17 1999 - 12:59:19 CDT