[NT] RunAs Sensitive Data Exposure
From: support@securiteam.comDate: 11/18/01
- Previous message: support@securiteam.com: "[UNIX] Multi-Vendor Buffer Overflow Vulnerability in CDE Subprocess Control Service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NT] RunAs Sensitive Data Exposure Message-Id: <20011118173755.30C6D138BF@mail.der-keiler.de> Date: Sun, 18 Nov 2001 18:37:55 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
RunAs Sensitive Data Exposure
------------------------------------------------------------------------
SUMMARY
The command line utility "RunAs" leverages the RunAs service in an effort
of launching an application in a distinct security context. However, the
utility does not properly erase the user credentials on exit, which makes
it possible for an attacker to read another user's credentials.
DETAILS
Applications that deal with highly sensitive data, such as user
credentials, must ensure that those credentials are sufficiently destroyed
after their use.
The RunAs utility performs no such destruction with credentials supplied
by the user. They are left, in plaintext, on the application's stack when
the application has terminated. Those credentials will be present when an
arbitrary application or driver has reallocated that particular allocation
page.
A malicious application could wait for a RunAs session to terminate then
subsequently search for that user's credentials. In order to execute this
vulnerability, the malicious user must have interactive access to the
Windows 2000 machine. Because of this, Windows 2000 Terminal services
would be most applicable for an attack.
Vendor information:
Microsoft has decided to include the fix within service pack 3 (SP3).
According to the Microsoft, "In February 2002, we will release Windows
2000 Service Pack 3 (SP3)".
<http://www.microsoft.com/presspass/features/2001/oct01/10-03securityqa.asp> http://www.microsoft.com/presspass/features/2001/oct01/10-03securityqa.asp
ADDITIONAL INFORMATION
The information has been provided by <mailto:research@camisade.com> Team
RADIX -- Camisade LLC.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Multi-Vendor Buffer Overflow Vulnerability in CDE Subprocess Control Service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
