[prev in list] [next in list] [prev in thread] [next in thread]
List: ntbugtraq
Subject: RV: Windows NT Remote Exploit
From: Quimeras <quimeras () TELELINE ! ES>
Date: 1999-09-17 17:55:10
[Download RAW message or body]
I don't know if this is known, but I think there is a very dangerous bug in the \
Remote Access Service Manager. This is not a buffer overflow, I think this is a very \
serious bug.
Systems affected: Windows NT Server & Workstation, SP3, SP4, SP5 with Remote Access \
Service Manager (RasMan) installed (RRAS is also affected). Not tested on W2K.
Risk: A network unprivileged user can gain admin privileges.
DESCRIPTION
----------------------
Any domain user can enumerate services in any domain machine:
SC_HANDLE hSCM = OpenSCManager(machinename, NULL, SC_MANAGER_ENUMERATE_SERVICE);
So you can open a handle to the Service Control Manager, the bug is that with this \
handle you can obtain full access to the RasMan service:
SC_HANDLE hService = OpenService(hSCM, _TEXT("RasMan"), SERVICE_ALL_ACCESS);
Now you can change RasMan configuration, for example the binary path name, and run a \
malicious service with System privileges.
For a demonstration exploit visit: http://www.teleline.es/personal/quimeras/ntsu
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic