nt.ras.bof.txt

`Date: Wed, 19 May 1999 11:37:00 +0100  
From: Mnemonix <[email protected]>  
To: [email protected]  
Subject: Buffer Overruns in RAS allows execution of arbitary code as system  
  
Introduction  
Microsoft's RAS Service on Windows NT (all service packs) contains numerous  
buffer overruns that allow execution of arbritary code that can allow an  
attacker to gain system privilege access to the machine.  
  
Details  
  
The RAS service is used so that remote users may dial in to the RAS server  
and be able to access resources local to the RAS server or the network it is  
attached to as a whole. RAS is also the service used when users wish to dial  
out from an NT machine, for instance, into their Internet Service Provider.  
  
With the RAS service comes RASSRV.EXE, which implements the Remote Access  
Server service and is used for accepting incoming calls, RASMAN.EXE which  
implements the RAS Autodial Manager and RAS Connection Manager services  
which are used to dial out. RASPHONE.EXE is the application used when a user  
manual dials out, as well as editing the Phone Book. RASDIAL.EXE is also  
used to dial out.  
  
RASSRV.EXE and RASMAN.EXE are system processes and run in the security  
context of the system where as RASPHONE.EXE and RASDIAL.EXE normally run in  
the security context of the user who starts the process. From tests it seems  
that RASSRV.EXE does not have this problem, however all the others do.  
  
The buffer overruns occur because the RAS API functions, such as  
RasGetDialParams( ), perform no bounds checking and fill structures that  
contain character arrays.  
  
For instance, when the Autodial Manager dials out it uses the  
RasDailGetParams ( ) function to read in such things as the telephone number  
>from the Phonebook, rasphone.pbk. It places these into the RASDIALPARAMS  
structure that contains characters arrays. Because no bounds checking is  
performed if the rasphone.pbk contains an overly long telephone number it  
will cause RASMAN.EXE to access violate. If the phone number is over 299  
characters in length we overwrite the processor's EIP and can completely  
change the programs order of execution and execute arbitary code, though  
more on this later. By default rasphone.pbk gives Everybody the Change NTFS  
permission meaning that anyone with access to this file may edit its  
contents and cause the buffer overflow. Permissions for this file should be  
tightened, although a normal user can create their own Phone Book for use  
with RAS, meaning that, irrespective of the permissions on rasphone.pbk in  
the %systemroot%\system32\ras directory, these attacks can still be  
performed.  
  
As far as impact is concerned if RASMAN.EXE is overflowed it means that  
anybody with local access to the machine can gain elevated privileges to  
Administrator level. As far as RASPHONE.EXE and RASDIAL.EXE are concerned  
these two programs are often used in conjunction with the Scheduler Service,  
a system service, and may also be exploited to gain access to the system.  
  
Administrators are therefore strongly advised to apply the patch from  
Microsoft as soon as possible.  
  
Further to this advisory I have written a document on buffer overruns in  
Windows NT and their exploitation, looking at RASMAN.EXE as an example. This  
can be found at http://www.infowar.co.uk/mnemonix/ntbufferoverruns.htm.  
  
  
Cheers,  
David Litchfield  
http://www.infowar.co.uk/mnemonix  
http://www.arca.com  
  
----------------------------------------------------------------------------  
  
Date: Thu, 20 May 1999 16:18:54 -0400  
From: Russ <[email protected]>  
To: [email protected]  
Subject: Alert: Microsoft Security Bulletin (MS99-016) - RAS Phonebook  
  
Microsoft have released a patch for Mnemonix's buffer overrun discovery.  
  
See;  
  
http://www.microsoft.com/security/bulletins/ms99-016.asp  
  
for further details and download locations.  
  
Cheers,  
Russ - NTBugtraq Editor  
  
`