Buffer Overruns in RAS allows execution of arbitary code as system

[mnemonix () GLOBALNET CO UK (Mnemonix)]

Introduction
Microsoft's RAS Service on Windows NT (all service packs) contains numerous
buffer overruns that allow execution of arbritary code that can allow an
attacker to gain system privilege access to the machine.

Details

The RAS service is used so that remote users may dial in to the RAS server
and be able to access resources local to the RAS server or the network it is
attached to as a whole. RAS is also the service used when users wish to dial
out from an NT machine, for instance, into their Internet Service Provider.

With the RAS service comes RASSRV.EXE, which implements the Remote Access
Server service and is used for accepting incoming calls, RASMAN.EXE which
implements the RAS Autodial Manager and RAS Connection Manager services
which are used to dial out. RASPHONE.EXE is the application used when a user
manual dials out, as well as editing the Phone Book. RASDIAL.EXE is also
used to dial out.

RASSRV.EXE and RASMAN.EXE are system processes and run in the security
context of the system where as RASPHONE.EXE and RASDIAL.EXE normally run in
the security context of the user who starts the process. From tests it seems
that RASSRV.EXE does not have this problem, however all the others do.

The buffer overruns occur because the RAS API functions, such as
RasGetDialParams( ), perform no bounds checking and fill structures that
contain character arrays.

For instance, when the Autodial Manager dials out it uses the
RasDailGetParams ( ) function to read in such things as the telephone number
from the Phonebook, rasphone.pbk. It places these into the RASDIALPARAMS
structure that contains characters arrays. Because no bounds checking is
performed if the rasphone.pbk contains an overly long telephone number it
will cause RASMAN.EXE to access violate. If the phone number is over 299
characters in length we overwrite the processor's EIP and can completely
change the programs order of execution and execute arbitary code, though
more on this later. By default rasphone.pbk gives Everybody the Change NTFS
permission meaning that anyone with access to this file may edit its
contents and cause the buffer overflow. Permissions for this file should be
tightened, although a normal user can create their own Phone Book for use
with RAS, meaning that, irrespective of the permissions on rasphone.pbk in
the %systemroot%\system32\ras directory, these attacks can still be
performed.

As far as impact is concerned if RASMAN.EXE is overflowed it means that
anybody with local access to the machine can gain elevated privileges to
Administrator level. As far as RASPHONE.EXE and RASDIAL.EXE are concerned
these two programs are often used in conjunction with the Scheduler Service,
a system service, and may also be exploited to gain access to the system.

Administrators are therefore strongly advised to apply the patch from
Microsoft as soon as possible.

Further to this advisory I have written a document on buffer overruns in
Windows NT and their exploitation, looking at RASMAN.EXE as an example. This
can be found at http://www.infowar.co.uk/mnemonix/ntbufferoverruns.htm.


Cheers,
David Litchfield
http://www.infowar.co.uk/mnemonix
http://www.arca.com