RE:Radix Research Reports RADIX1112200101, RADIX1112200102, and RADIX1112200103

["Microsoft Security Response Center" <secure () microsoft com>]

-----BEGIN PGP SIGNED MESSAGE-----

Hi All -

I'd like to provide some additional information about the 
vulnerabilities reported by Camisade regarding the Windows 
2000 RunAs service.  Briefly,  RADIX1112200101 and 
RADIX1112200102 discuss scenarios in which the author 
reports that it could be possible to compromise the 
credentials of a RunAs user, while RADIX1112200103 
discusses a denial of service opportunity against the RunAs 
service.  Microsoft investigated all the reports thoroughly 
as soon as we received them, and kept Camisade abreast of 
our progress.  Here's what we found.

RADIX1112200101.  In order to exploit this vulnerability, 
the attacker would need the ability to pause the RunAs 
service.  However, this requires administrative privileges.  
Clearly, if the attacker already has administrative 
privileges on the machine, the system is completely 
compromised and all bets are off.  Even an attacker who did 
have administrative privileges on the machine would need to 
exploit the vulnerability at exactly the moment when 
another user used the RunAs service in order to recover the 
other user's credentials.

RADIX1112200102.  We investigated this report extensively.  
However, the only case in which we were able to recover the 
credentials was one in which the attacker had 
administrative privileges on the machine, and used a 
debugger to directly access memory.  We repeatedly asked 
Camisole to provide information or code to substantiate 
their claim that an attacker could exploit this 
vulnerability with normal user privileges, but they never 
provided it.

RADIX1112200103.  The most important point to note here is 
that this is a denial of service against the RunAs service 
only -- it would not allow the system or any other services 
to be disrupted.  Further, the exploit scenario is fairly 
restricted.  An attacker could only exploit this 
vulnerability on the local machine, so the sole outcome of 
a successful attack would be to deny use of the RunAs 
service to the attacker himself (or, in the case of a 
terminal server, to other users of that machine)

We do agree with Camisade that in each case there is a flaw 
we need to fix.  However, the changes are fairly complex 
and will require significant testing to ensure their 
quality.  After weighing the many mitigating factors 
associated with these bugs versus the complexity of the 
needed changes, we concluded -- and continue to believe -- 
that fixing them in Windows 2000 Service Pack 3 is the best 
course of action.

I hope that helps to clarify what's going on here.

Regards,

Christopher Budd
Security Program Manager
Microsoft Security Response Center



-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBO/K0co0ZSRQxA/UrAQHnmggAgLWah3FgxnW6/x1gAABm5qkFo6Y+oz4f
2sXNLiHTbvDe7OmW3KxAhRWG2eWQr80CyivAOjAz6wNBDtJwtqvlWgUA4Ae/teRh
uB5e5CyNzvlGYbCqe1Bd5VmyQ9AUpMQgzrSL50KIp1qD65M/RZhJKYKQStESUGcZ
K4AeDGMHTM0MUgcDxHXwjiaMATCRSpllrMJ1WcsomL6k89yC1LmQ1OVyrukwIvoZ
9DV6k2eJ2Jitsjc+L3M/WYXW/sZzV9CEFv2JyvFrpYnIxf8RfQVoyID6ms9VF44M
ejuU2Ik8z00PLHsyJML9L3SmrrmyXU9hFEUiu+558d8XvqgKrsINGw==
=noxj
-----END PGP SIGNATURE-----