[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntbugtraq
Subject:    RV: Windows NT Remote Exploit
From:       Quimeras <quimeras () TELELINE ! ES>
Date:       1999-09-17 17:55:10
[Download RAW message or body]

I don't know if this is known, but I think there is a very dangerous bug in the \
Remote Access Service Manager. This is not a buffer overflow, I think this is a very \
serious bug.

Systems affected: Windows NT Server & Workstation, SP3, SP4, SP5 with Remote Access \
Service Manager (RasMan) installed (RRAS is also affected). Not tested on W2K.

Risk: A network unprivileged user can gain admin privileges.
 

DESCRIPTION
----------------------

Any domain user can enumerate services in any domain machine:
 
SC_HANDLE hSCM = OpenSCManager(machinename, NULL, SC_MANAGER_ENUMERATE_SERVICE);

So you can open a handle to the Service Control Manager, the bug is that with this \
handle you can obtain full access to the RasMan service:

SC_HANDLE hService = OpenService(hSCM, _TEXT("RasMan"), SERVICE_ALL_ACCESS);
 
Now you can change RasMan configuration, for example the binary path name, and run a \
malicious service with System privileges.  
For a demonstration exploit visit: http://www.teleline.es/personal/quimeras/ntsu


[prev in list] [next in list] [prev in thread] [next in thread]