Bugtraq mailing list archives
Re: Local privilege escalation using runasp V3.5.1
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Thu, 16 Jun 2005 14:27:56 +0400
Dear lsth75 () hotmail com, --Tuesday, June 14, 2005, 2:23:45 PM, you wrote to bugtraq () securityfocus com: lhc> Just found an implementation bug in MAST RunAsP.exe v3.5.1 and below, lhc> that allows local privilege escalation. lhc> It seems that the called exe is not CRC checked, lhc> so it's possible for example to rename cmd.exe to the name of lhc> the original exe, so when running lhc> the original script ("runasp test.rap" , you'll get a nice lhc> DOS box with administrator rights. You can also rename cmd.exe to RunAsP.exe to achieve same result. You should never run application from untrusted location. Inability to check file hash in this case is, may be, a leak of feature, not vulnerability. A vulnerability could be if user can change test.rap to execute cmd.exe with somebody's permissions. -- ~/ZARAZA http://www.security.nnov.ru/
Current thread:
- Local privilege escalation using runasp V3.5.1 lsth75 (Jun 14)
- Re: Local privilege escalation using runasp V3.5.1 3APA3A (Jun 16)