From: Quimeras [quimeras@teleline.es]
Sent: Sunday, September 15, 2002 1:32 PM
To: ntsecurity@iss.net
Subject: [NTSEC] Windows NT Remote Exploit


I don't know if this is known, but I think there is a very dangerous bug in the Remote Access Service Manager. This is not a buffer overflow, I think this is a very serious bug.

Systems affected: Windows NT Server & Workstation, SP3, SP4, SP5 with Remote Access Service Manager (RasMan) installed (RRAS is also affected). Not tested on W2K.

Risk: A network unprivileged user can gain admin privileges.
 

DESCRIPTION
----------------------

Any domain user can enumerate services in any domain machine:
 
SC_HANDLE hSCM = OpenSCManager(machinename, NULL, SC_MANAGER_ENUMERATE_SERVICE);

So you can open a handle to the Service Control Manager, the bug is that with this handle you can obtain full access to the RasMan service:

SC_HANDLE hService = OpenService(hSCM, _TEXT("RasMan"), SERVICE_ALL_ACCESS);
 
Now you can change RasMan configuration, for example the binary path name, and run a malicious service with System privileges.
 
For a demonstration exploit visit: http://www.teleline.es/personal/quimeras/ntsu