Archive : 1999 : september : ntras3 - security vulnerabilities database

[EN] securityvulns.ru
no-pyccku
Re: Alert: Exploit of RASMAN service key escalates privileges



=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


 Date: Пн, 20 сен 1999  10:33:13

   От: Arne Vidstrom <winnt@BAHNHOF.SE>

 Кому: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

 Тема: Re: Alert: Exploit of RASMAN service key escalates privileges

--------------------------------------------------------------------------------




Hi all,



Regarding the rasman vulnerability found by Alberto Rodriguez Aragones.



First a short summary. Services in Windows NT are securable objects, just

like files and directories are for example. Thus they are equipped with

DACL's which control access to them, and with SACL's which control auditing

on them. They also have owners. All services seem to have pretty tight

permissions set on them by default, except the rasman service to which

Everyone have all permissions. One of those permissions is "Change

Configuration" (a service specific permission), which allows to connect to

the Service Control Manager and change the configuration of the service.

One thing which can be changed is the path to the service binary. This is

what has been shown in practice by Alberto Rodriguez Aragones, with his

exploit program BertzHole. Todd Sabin explained this (although with

slightly different words) in his posting.



Now, what can be done about this? Todd Sabin said, "What's needed is a u

tility which allows examining/updating the permissions on services.", so, I

wrote a couple of utilities for that. First GSD, which lists the DACL's of

any service you specify. It can be downloaded at:



http://www.bahnhof.se/~winnt/toolbox/gsd/



Next, I wrote another utility (rasfix) which tightens the permissions of

the rasman service to prevent this kind of exploit. It can be downloaded

at:



http://www.bahnhof.se/~winnt/toolbox/rasfix/



To tighten the permissions you run it at the Command Prompt like this:



rasfix -tighten



To restore the permissions to the installation defaults you run it like

this:



rasfix -restore



But! It doesn't seem to be a coincidence that Microsoft gave Change

Configuration permissions to Everyone by default. When you tighten the

permissions everything works fine for those accounts which still have

Change Configuration permissions, but for other accounts dial up

functionality is broken. If this is a problem for you - wait for Microsoft

to release a hotfix for the vulnerability. I also suggest that you only

apply my fix if it's absolutely necessary in your case, otherwise wait for

Microsoft's hotfix.



Regards,



/Arne Vidstrom



P.S. More security tools can be found at my toolbox site -

http://www.bahnhof.se/~winnt/toolbox/ - and of course all of them are

freeware. :)