Team RADIX Research Report: RADIX1112200102

Date Published: 11-12-2001
Research Report ID: RADIX1112200102
Bugtraq ID: 3184
CVE CAN: N/A
Title: RunAs Sensitive Data Exposure
Class: Sensitive data exposure
Remotely Exploitable: No
Locally Exploitable: Yes

Vulnerability Description:
The command line utility "RunAs" leverages the RunAs service in an
effort of launching an application in a distinct security context.
However, the utility suffers from the fact that the buffer is never
erased after the application terminates execution.

Vulnerable Systems: Microsoft Windows 2000

Solution/Vendor Information/Workaround:
The vendor has decided to include the fix within service pack 3 (SP3).

According to the vendor, "In February 2002, we will release Windows 2000
Service Pack 3 (SP3)".

http://www.microsoft.com/presspass/features/2001/oct01/10-03securityqa.a
sp

When service pack 3 is released, Camisade recommends installing it.

In the meantime, do not use the RunAs service. If RunAs is never used,
no application may allocate a page that contains RunAs-related
authentication credentials. However, do not disable the RunAs service.
The RADIX1112200101 vulnerability can only be exploited if the RunAs
service is not running. The malicious attacker is performing a man in
the middle attack using a malicious RunAs service.

Summary: Ensure the RunAs service is in it's default setting
(automatically started and running). The default install of the service,
unused and not set to manual (or disabled) is the safest method until
service pack 3 is released. As a temporary solution, do not use any
utilities that leverage the RunAs service. This includes the RunAs
command line utility and Explorer's RunAs functionality.

Vendor notified on: 09-10-2001

The vendor was notified, and confirmed receipt, approximately two months
ago. In keeping with the Camisade Research Report Policy, the
information has been made public to best benefit the security community
through full disclosure.

Credits:
Camisade - Team RADIX (researchcamisade.com) http://www.camisade.com

This advisory was drafted with the help of the SecurityFocus.com
Vulnerability Help Team. For more information or assistance drafting
advisories please mail vulnhelpsecurityfocus.com.

Technical Description - Proof of Concept Code:
Applications that deal with highly sensitive data, such as user
credentials, must ensure that those credentials are sufficiently
destroyed after their use.

The RunAs utility performs no such destruction with credentials supplied
by the user. They are left, in plaintext, on the application's stack
when the application has terminated. Those credentials will be present
when an arbitrary application or driver has reallocated that particular
allocation page.

A malicious application could wait for a RunAs session to terminate then
subsequently search for that user's credentials. In order to execute
this vulnerability, the malicious user must have interactive access to
the Windows 2000 machine. Because of this, Windows 2000 Terminal
services would be most applicable for an attack.

-- 
Team RADIX -- Camisade LLC
http://www.camisade.com
Application Security Innovations
Camisade Direct: 1.800.709.1241

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]