[23140] in bugtraq
RE:Radix Research Reports RADIX1112200101, RADIX1112200102, and RADIX1112200103
daemon@ATHENA.MIT.EDU (Microsoft Security Response Center)
Wed Nov 14 15:49:10 2001
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Date: Wed, 14 Nov 2001 10:14:47 -0800
Message-ID: <949915AAAC8CED4B823E2B1BBD0B3E7F9F93E6@red-msg-18.redmond.corp.microsoft.com>
From: "Microsoft Security Response Center" <secure@microsoft.com>
To: <bugtraq@securityfocus.com>
Cc: "Microsoft Security Response Center" <secure@microsoft.com>
Content-Transfer-Encoding: 8bit
-----BEGIN PGP SIGNED MESSAGE-----
Hi All -
I'd like to provide some additional information about the
vulnerabilities reported by Camisade regarding the Windows
2000 RunAs service. Briefly, RADIX1112200101 and
RADIX1112200102 discuss scenarios in which the author
reports that it could be possible to compromise the
credentials of a RunAs user, while RADIX1112200103
discusses a denial of service opportunity against the RunAs
service. Microsoft investigated all the reports thoroughly
as soon as we received them, and kept Camisade abreast of
our progress. Here's what we found.
RADIX1112200101. In order to exploit this vulnerability,
the attacker would need the ability to pause the RunAs
service. However, this requires administrative privileges.
Clearly, if the attacker already has administrative
privileges on the machine, the system is completely
compromised and all bets are off. Even an attacker who did
have administrative privileges on the machine would need to
exploit the vulnerability at exactly the moment when
another user used the RunAs service in order to recover the
other user's credentials.
RADIX1112200102. We investigated this report extensively.
However, the only case in which we were able to recover the
credentials was one in which the attacker had
administrative privileges on the machine, and used a
debugger to directly access memory. We repeatedly asked
Camisole to provide information or code to substantiate
their claim that an attacker could exploit this
vulnerability with normal user privileges, but they never
provided it.
RADIX1112200103. The most important point to note here is
that this is a denial of service against the RunAs service
only -- it would not allow the system or any other services
to be disrupted. Further, the exploit scenario is fairly
restricted. An attacker could only exploit this
vulnerability on the local machine, so the sole outcome of
a successful attack would be to deny use of the RunAs
service to the attacker himself (or, in the case of a
terminal server, to other users of that machine)
We do agree with Camisade that in each case there is a flaw
we need to fix. However, the changes are fairly complex
and will require significant testing to ensure their
quality. After weighing the many mitigating factors
associated with these bugs versus the complexity of the
needed changes, we concluded -- and continue to believe --
that fixing them in Windows 2000 Service Pack 3 is the best
course of action.
I hope that helps to clarify what's going on here.
Regards,
Christopher Budd
Security Program Manager
Microsoft Security Response Center
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQEVAwUBO/K0co0ZSRQxA/UrAQHnmggAgLWah3FgxnW6/x1gAABm5qkFo6Y+oz4f
2sXNLiHTbvDe7OmW3KxAhRWG2eWQr80CyivAOjAz6wNBDtJwtqvlWgUA4Ae/teRh
uB5e5CyNzvlGYbCqe1Bd5VmyQ9AUpMQgzrSL50KIp1qD65M/RZhJKYKQStESUGcZ
K4AeDGMHTM0MUgcDxHXwjiaMATCRSpllrMJ1WcsomL6k89yC1LmQ1OVyrukwIvoZ
9DV6k2eJ2Jitsjc+L3M/WYXW/sZzV9CEFv2JyvFrpYnIxf8RfQVoyID6ms9VF44M
ejuU2Ik8z00PLHsyJML9L3SmrrmyXU9hFEUiu+558d8XvqgKrsINGw==
=noxj
-----END PGP SIGNATURE-----
