Windows RASMAN registry corruption vulnerability

2006-07-2800:00:00

SAINT Corporation

download.saintcorporation.com

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.939 High

EPSS

Percentile

99.2%

JSON

Added: 07/28/2006
CVE: CVE-2006-2371
BID: 18358
OSVDB: 26436

Background

The Routing and Remote Access Service (RRAS) allows a Windows computer to act as a router, dial-up access server, VPN server, or network address translator. The Remote Access Connection Manager (RASMAN) service handles the details of establishing the connection to the remote server.

Problem

A buffer overflow in the RASMAN service can lead to registry corruption, allowing a remote attacker to execute arbitrary commands.

Resolution

Install the patch referenced in Microsoft Security Bulletin 06-025.

References

<http://www.microsoft.com/technet/security/bulletin/ms06-025.mspx>
<http://www.kb.cert.org/vuls/id/814644>

Limitations

In order for this exploit to succeed, valid login credentials are required, the Remote Access Connection Manager service must be started on the target, and the Routing and Remote Access service must be configured on the target. To configure the Routing and Remote Access service, open the service, right-click the computer name, choose “Configure and Enable Routing and Remote Access”, click “Next”, Choose “Network router”, click “Next”, and use the default settings to finish the configuration.

The Crypt::DES, Digest::MD4, and Digest::MD5 packages are required for performing Windows authentication, which is a requirement for successful exploitation. These packages are available from <http://cpan.org/modules/by-module/>.