PDA

Bekijk Volledige Versie : Local privilege escalation using runasp V3.5.1


lsth75@hotmail.com
14/06/05, 20:35
Hi list,

Just found an implementation bug in MAST RunAsP.exe v3.5.1 and below,
that allows local privilege escalation.

Vendor: MAST-Computer
Homepage of product : http://www.mast-computer.com/c_9-s_7-l_en.html

Description of product:
For Windows 2000, Windows XP
RunAs Professional is a substitute for Microsoft's command runas.
RunAs Professional solves the problem that
normal runas does not support the commandline
parameter password.

Now you can use RunAs Professional to install
software, use it in batch scripts and much more.


Bug description:
This software uses a crypted .rap file to store
the parameters such as DOMAIN NAME/USERNAME/PASSWORD,
PATH and EXE name
in order to do a "runas" from a script.

A normal user is able to see the exe filename just by double clicking runasp.exe and load the .rap file
(here password is hidden)

It seems that the called exe is not CRC checked,
so it's possible for example to rename cmd.exe to the name of the original exe, so when running
the original script ("runasp test.rap" , you'll get a nice DOS box with administrator rights.

Workaround :
Modify code to embed CRC sum in crypted file

Can anyone confirm, thx ?

Vendor not yet contacted

Regards
traxx
=======================================
==> Visit us @ www.knowledgecave.com <==
=======================================
3APA3A
16/06/05, 17:55
Dear lsth75@hotmail.com,

--Tuesday, June 14, 2005, 2:23:45 PM, you wrote to bugtraq@securityfocus.com:

lhc> Just found an implementation bug in MAST RunAsP.exe v3.5.1 and below,
lhc> that allows local privilege escalation.


lhc> It seems that the called exe is not CRC checked,
lhc> so it's possible for example to rename cmd.exe to the name of
lhc> the original exe, so when running
lhc> the original script ("runasp test.rap" , you'll get a nice
lhc> DOS box with administrator rights.

You can also rename cmd.exe to RunAsP.exe to achieve same result. You
should never run application from untrusted location. Inability to check
file hash in this case is, may be, a leak of feature, not vulnerability.
A vulnerability could be if user can change test.rap to execute cmd.exe
with somebody's permissions.


--
~/ZARAZA
http://www.security.nnov.ru/
securityfocus.5.stele@spamgourmet.com
26/07/05, 21:45
Hello,

this is not a RunAs Pro Bug.
-> Critical Files should be protected by Administrators, so that normal users are not able to rename them.
Just optimize your User-Permissions.

-> Just note:
Our next release will include a CRC32 Check of the file.
securityfocus.5.stele@spamgourmet.com
26/07/05, 21:55
Correct! -> All critical files should not be modifyalbe by an normal user!
Users should not be able to modify the program files directory too.