[NT] Buffer Overflow in Microsoft Rasapi32.dll

From: support@securiteam.com
Date: 06/15/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sat, 15 Jun 2002 21:18:51 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Buffer Overflow in Microsoft Rasapi32.dll
------------------------------------------------------------------------

SUMMARY

Rasapi32.dll contains an unchecked buffer, essentially allowing a local
user to overflow any executable that has a GUI help feature or connects to
the internet. This can be used to obtain system privileges on a machine
that an attacker can interactively log on to, or to "Trojan" a machine on
which they can edit the phone book properties.

DETAILS

Vulnerable systems:
 * WinNT, Win2K, XP, Microsoft Routing And Remote Access

Rasapi32.dll ships with all recent Microsoft operating systems, being
described as the "Dial-Up Networking Dynamic Linked Library and a Remote
Access API".

The overflow occurs when the code that parses RAS phonebook entries runs;
this can occur when a user logs on interactively, or when a user views the
dial-up connection properties. Specifically, an overly-long 'script name'
(stored in the Rasphone.pbk file) will cause the overflow.

A possible (interactive) exploit scenario would be:
 - Log on to the target machine.
 - Create a batch file adding your account to the "administrators" group
and paste exploit code that will run the batch file into the
'rasphone.pbk' file.
 - Log off user.
 - When presented with the logon dialog box, select "Log on using dial-up
connection".
 - At this point an access violation occurs in Winlogon.exe executing your
batch file with system privileges. Depending on how the exploit code is
written, the operating system is likely to 'blue screen' at this point.
 - After the blue screen, logon with your user name and password to access
your system account.

An interesting aspect of this overflow is that it exploits the logon
dialog that occurs after the Secure Attention Sequence (Crtl+Alt+Del),
which is designed to prevent other programs or processes from intervening
during authentication (that is, to prevent trojan-horse programs from
being executed during the authentication process), effectively turning a
defense mechanism into a security problem.

Another interesting point is that on our Windows 2000 test platform the
overflow string was Unicode, but on our Windows XP and Windows NT test
platforms the overflow string was ASCII.

The overflow can also be used to "poison" a machine such that the next
time a dial-up connection is used, some exploit code is run.
Interestingly, it is possible to exploit the problem using most Windows
applications, via the "Internet Options" menu item accessible via the help
menu. For example, to cause the overrun to occur in Solitaire (SOL.exe),
open Solitaire, select help, contents, options, Internet options and
finally connections.

Fix Information:
NGSSoftware alerted Microsoft to these problems in November of last year.
Microsoft's advisory on this issue can be found at
<http://www.microsoft.com/technet/security/bulletin/MS02-029.asp>
http://www.microsoft.com/technet/security/bulletin/MS02-029.asp.
Microsoft's advisory contains patch download information, as well as a
discussion of the issue.

ADDITIONAL INFORMATION

The information has been provided by <mailto:mark@ngssoftware.com> Mark
Litchfield.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages