Local privilege escalation using runasp V3.5.1

[lsth75 () hotmail com]

Hi list,

Just found an implementation bug in MAST RunAsP.exe v3.5.1 and below, 
that allows local privilege escalation. 

Vendor: MAST-Computer
Homepage of product : http://www.mast-computer.com/c_9-s_7-l_en.html

Description of product:
For Windows 2000, Windows XP 
RunAs Professional is a substitute for Microsoft's command runas.
RunAs Professional solves the problem that
normal runas does not support the commandline
parameter password. 

Now you can use RunAs Professional to install
 software, use it in batch scripts and much more.


Bug description: 
This software uses a crypted .rap file to store
the parameters such as DOMAIN NAME/USERNAME/PASSWORD,
 PATH and EXE name
in order to do a "runas" from a script.

A normal user is able to see the exe filename just by double clicking runasp.exe and load the .rap file 
(here password is hidden)

It seems that the called exe is not CRC checked,
so it's possible for example to rename cmd.exe to the name of the original exe, so when running
 the original script ("runasp test.rap" , you'll get a nice DOS box with administrator rights.

Workaround :
Modify code to embed CRC sum in crypted file

Can anyone confirm, thx ?

Vendor not yet contacted

Regards
traxx
=======================================
==> Visit us @ www.knowledgecave.com <==
=======================================