Microsoft Windows 2000 runas.exe Cleartext Authentication Information Disclosure

2001-11-12T04:17:53
ID OSVDB:20220
Type osvdb
Reporter Steve(steve@securesolutions.org)
Modified 2001-11-12T04:17:53

Description

Vulnerability Description

Microsoft Windows 2000 has been reported to contain a flaw that may lead to information disclosure by using the RUN AS service. Memory used by the runas.exe program is not cleared after use, and might be assigned to another program. An attacker with local privileges can reportedly gain access to this memory, potentially gaining sensitive information. However, the vendor notes that to gain access to this program and memory, one would need administrator privileges making this a non-issue.

Solution Description

The vulnerability reported is incorrect. No solution required.

Short Description

Microsoft Windows 2000 has been reported to contain a flaw that may lead to information disclosure by using the RUN AS service. Memory used by the runas.exe program is not cleared after use, and might be assigned to another program. An attacker with local privileges can reportedly gain access to this memory, potentially gaining sensitive information. However, the vendor notes that to gain access to this program and memory, one would need administrator privileges making this a non-issue.

References:

Mail List Post: http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0041.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-11/0094.html Keyword: RADIX1112200102 ISS X-Force ID: 7531 CVE-2001-1517 Bugtraq ID: 3184