RUNAS /SAVECRED is huge security hole

• Previous message: Russ: "Re: MS03-029 / Q823803 definitely breaks RAS and MS isn't listening?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Fri, 11 Jul 2003 10:00:19 +0200
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

The documentation for the RUNAS command (in Windows XP) states:

/savecred to use credentials previously saved by the user.
                  This option is not available on Windows XP Home Edition
                  and will be ignored.

This allows a "plain user" to run command lines (typically in shortcuts) such as

RUNAS /savecred /user:administrator regedit

then ask the administrator to type in his/her password, and voilą!

Next time the same command line / shortcut is invoked, the saved administrator
password will be automatically provided.

So far, so good; this allows users to run privileged commands, "encapsulated" in
the appropriate shortcuts, without asking their administrator.

BUT...

What the documentation does not mention, is that the saved credentials can be used
to run *anything*, not just the original command line / shortcut.

So let's supposed Joe A. Developer, whose account is not a member of the
Administrators group, needs to run SysInternals' FileMon every now and then.
His/her administrator creates a shortcut with the following command line:

RUNAS /savecred /user:administrator filemon

runs the shortcuts, and enters his/her password.

Once this is done, Joe can run

RUNAS /savecred /user:administrator CMD

which gives him full control over the machine!

The security hole lies in the fact that any piece of malicious, say, ActiveX code,
can attempt to do

CreateProcess("runas.exe", "/savecred /user:administrator \"cmd /c somecommand\"",
...)

"just in case"

IF /savecred has been used earlier on by the current user, and his/her password
hasn't been changed since then, the above code snippet will run "somecommand" under
the local administrator account!!!

Of course, this is probably not why Microsoft has created /savecred in the first
place, but I cannot think of any scenarios where it can be *safely* used, given
that the underlying logic doesn't reuse the saved credentials only for specific
command lines...

What do you all think?

Stephane Barizien
Senior Consultant
Oce' Print Logic Technologies S.A
R&D Creteil
1 rue Jean Lemoine
F94015 CRETEIL CEDEX

Phone: +33 (1) 48988231
Fax: +33 (1) 48985450
Internet e-mail: sba@ocegr.fr
CompuServe: 100114,1527

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to

http://www.trusecure.com/offer/s0100/

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

• Previous message: Russ: "Re: MS03-029 / Q823803 definitely breaks RAS and MS isn't listening?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]