[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntbugtraq
Subject:    Re: Alert: Exploit of RASMAN service key escalates privileges
From:       Arne Vidstrom <winnt () BAHNHOF ! SE>
Date:       1999-09-20 6:33:13
[Download RAW message or body]

Hi all,

Regarding the rasman vulnerability found by Alberto Rodriguez Aragones.

First a short summary. Services in Windows NT are securable objects, just
like files and directories are for example. Thus they are equipped with
DACL's which control access to them, and with SACL's which control auditing
on them. They also have owners. All services seem to have pretty tight
permissions set on them by default, except the rasman service to which
Everyone have all permissions. One of those permissions is "Change
Configuration" (a service specific permission), which allows to connect to
the Service Control Manager and change the configuration of the service.
One thing which can be changed is the path to the service binary. This is
what has been shown in practice by Alberto Rodriguez Aragones, with his
exploit program BertzHole. Todd Sabin explained this (although with
slightly different words) in his posting.

Now, what can be done about this? Todd Sabin said, "What's needed is a u
tility which allows examining/updating the permissions on services.", so, I
wrote a couple of utilities for that. First GSD, which lists the DACL's of
any service you specify. It can be downloaded at:

http://www.bahnhof.se/~winnt/toolbox/gsd/

Next, I wrote another utility (rasfix) which tightens the permissions of
the rasman service to prevent this kind of exploit. It can be downloaded
at:

http://www.bahnhof.se/~winnt/toolbox/rasfix/

To tighten the permissions you run it at the Command Prompt like this:

rasfix -tighten

To restore the permissions to the installation defaults you run it like
this:

rasfix -restore

But! It doesn't seem to be a coincidence that Microsoft gave Change
Configuration permissions to Everyone by default. When you tighten the
permissions everything works fine for those accounts which still have
Change Configuration permissions, but for other accounts dial up
functionality is broken. If this is a problem for you - wait for Microsoft
to release a hotfix for the vulnerability. I also suggest that you only
apply my fix if it's absolutely necessary in your case, otherwise wait for
Microsoft's hotfix.

Regards,

/Arne Vidstrom

P.S. More security tools can be found at my toolbox site -
http://www.bahnhof.se/~winnt/toolbox/ - and of course all of them are
freeware. :)

[prev in list] [next in list] [prev in thread] [next in thread]