Date: Wed, 19 May 1999 11:37:00 +0100 From: Mnemonix To: BUGTRAQ@netspace.org Subject: Buffer Overruns in RAS allows execution of arbitary code as system Introduction Microsoft's RAS Service on Windows NT (all service packs) contains numerous buffer overruns that allow execution of arbritary code that can allow an attacker to gain system privilege access to the machine. Details The RAS service is used so that remote users may dial in to the RAS server and be able to access resources local to the RAS server or the network it is attached to as a whole. RAS is also the service used when users wish to dial out from an NT machine, for instance, into their Internet Service Provider. With the RAS service comes RASSRV.EXE, which implements the Remote Access Server service and is used for accepting incoming calls, RASMAN.EXE which implements the RAS Autodial Manager and RAS Connection Manager services which are used to dial out. RASPHONE.EXE is the application used when a user manual dials out, as well as editing the Phone Book. RASDIAL.EXE is also used to dial out. RASSRV.EXE and RASMAN.EXE are system processes and run in the security context of the system where as RASPHONE.EXE and RASDIAL.EXE normally run in the security context of the user who starts the process. From tests it seems that RASSRV.EXE does not have this problem, however all the others do. The buffer overruns occur because the RAS API functions, such as RasGetDialParams( ), perform no bounds checking and fill structures that contain character arrays. For instance, when the Autodial Manager dials out it uses the RasDailGetParams ( ) function to read in such things as the telephone number >from the Phonebook, rasphone.pbk. It places these into the RASDIALPARAMS structure that contains characters arrays. Because no bounds checking is performed if the rasphone.pbk contains an overly long telephone number it will cause RASMAN.EXE to access violate. If the phone number is over 299 characters in length we overwrite the processor's EIP and can completely change the programs order of execution and execute arbitary code, though more on this later. By default rasphone.pbk gives Everybody the Change NTFS permission meaning that anyone with access to this file may edit its contents and cause the buffer overflow. Permissions for this file should be tightened, although a normal user can create their own Phone Book for use with RAS, meaning that, irrespective of the permissions on rasphone.pbk in the %systemroot%\system32\ras directory, these attacks can still be performed. As far as impact is concerned if RASMAN.EXE is overflowed it means that anybody with local access to the machine can gain elevated privileges to Administrator level. As far as RASPHONE.EXE and RASDIAL.EXE are concerned these two programs are often used in conjunction with the Scheduler Service, a system service, and may also be exploited to gain access to the system. Administrators are therefore strongly advised to apply the patch from Microsoft as soon as possible. Further to this advisory I have written a document on buffer overruns in Windows NT and their exploitation, looking at RASMAN.EXE as an example. This can be found at http://www.infowar.co.uk/mnemonix/ntbufferoverruns.htm. Cheers, David Litchfield http://www.infowar.co.uk/mnemonix http://www.arca.com ---------------------------------------------------------------------------- Date: Thu, 20 May 1999 16:18:54 -0400 From: Russ To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Alert: Microsoft Security Bulletin (MS99-016) - RAS Phonebook Microsoft have released a patch for Mnemonix's buffer overrun discovery. See; http://www.microsoft.com/security/bulletins/ms99-016.asp for further details and download locations. Cheers, Russ - NTBugtraq Editor