RUNAS /SAVECRED is huge security hole
From: Stephane Barizien (sba_at_OCEGR.FR)
Date: Fri, 11 Jul 2003 10:00:19 +0200 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
The documentation for the RUNAS command (in Windows XP) states:
/savecred to use credentials previously saved by the user.
This option is not available on Windows XP Home Edition
and will be ignored.
This allows a "plain user" to run command lines (typically in shortcuts) such as
RUNAS /savecred /user:administrator regedit
then ask the administrator to type in his/her password, and voilą!
Next time the same command line / shortcut is invoked, the saved administrator
password will be automatically provided.
So far, so good; this allows users to run privileged commands, "encapsulated" in
the appropriate shortcuts, without asking their administrator.
What the documentation does not mention, is that the saved credentials can be used
to run *anything*, not just the original command line / shortcut.
So let's supposed Joe A. Developer, whose account is not a member of the
Administrators group, needs to run SysInternals' FileMon every now and then.
His/her administrator creates a shortcut with the following command line:
RUNAS /savecred /user:administrator filemon
runs the shortcuts, and enters his/her password.
Once this is done, Joe can run
RUNAS /savecred /user:administrator CMD
which gives him full control over the machine!
The security hole lies in the fact that any piece of malicious, say, ActiveX code,
can attempt to do
CreateProcess("runas.exe", "/savecred /user:administrator \"cmd /c somecommand\"",
"just in case"
IF /savecred has been used earlier on by the current user, and his/her password
hasn't been changed since then, the above code snippet will run "somecommand" under
the local administrator account!!!
Of course, this is probably not why Microsoft has created /savecred in the first
place, but I cannot think of any scenarios where it can be *safely* used, given
that the underlying logic doesn't reuse the saved credentials only for specific
What do you all think?
Oce' Print Logic Technologies S.A
1 rue Jean Lemoine
F94015 CRETEIL CEDEX
Phone: +33 (1) 48988231
Fax: +33 (1) 48985450
Internet e-mail: firstname.lastname@example.org
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to