RADIX1112200102

[research () camisade com]

Team RADIX Research Report: RADIX1112200102

Date Published: 11-12-2001 
Research Report ID: RADIX1112200102 
Bugtraq ID: 3184 
CVE CAN: N/A 
Title: RunAs Sensitive Data Exposure 
Class: Sensitive data exposure 
Remotely Exploitable: No 
Locally Exploitable: Yes 

Vulnerability Description: 
The command line utility "RunAs" leverages the RunAs service in an effort of launching an application in a distinct 
security context. However, the utility suffers from the fact that the buffer is never erased after the application 
terminates execution. 

Vulnerable Systems: Microsoft Windows 2000 

Solution/Vendor Information/Workaround: 
The vendor has decided to include the fix within service pack 3 (SP3). 

According to the vendor, "In February 2002, we will release Windows 2000 Service Pack 3 (SP3)". 

http://www.microsoft.com/presspass/features/2001/oct01/10-03securityqa.asp 

When service pack 3 is released, Camisade recommends installing it. 

In the meantime, do not use the RunAs service. If RunAs is never used, no application may allocate a page that contains 
RunAs-related authentication credentials. However, do not disable the RunAs service. The RADIX1112200101 vulnerability 
can only be exploited if the RunAs service is not running. The malicious attacker is performing a man in the middle 
attack using a malicious RunAs service. 

Summary: Ensure the RunAs service is in it's default setting (automatically started and running). The default install 
of the service, unused and not set to manual (or disabled) is the safest method until service pack 3 is released. As a 
temporary solution, do not use any utilities that leverage the RunAs service. This includes the RunAs command line 
utility and Explorer's RunAs functionality. 

Vendor notified on: 09-10-2001 

The vendor was notified, and confirmed receipt, approximately two months ago. In keeping with the Camisade Research 
Report Policy, the information has been made public to best benefit the security community through full disclosure. 

Credits: 
Camisade - Team RADIX (research () camisade com) http://www.camisade.com 

This advisory was drafted with the help of the SecurityFocus.com Vulnerability Help Team. For more information or 
assistance drafting advisories please mail vulnhelp () securityfocus com. 

Technical Description - Proof of Concept Code: 
Applications that deal with highly sensitive data, such as user credentials, must ensure that those credentials are 
sufficiently destroyed after their use. 

The RunAs utility performs no such destruction with credentials supplied by the user. They are left, in plaintext, on 
the application's stack when the application has terminated. Those credentials will be present when an arbitrary 
application or driver has reallocated that particular allocation page. 

A malicious application could wait for a RunAs session to terminate then subsequently search for that user's 
credentials. In order to execute this vulnerability, the malicious user must have interactive access to the Windows 
2000 machine. Because of this, Windows 2000 Terminal services would be most applicable for an attack.

-- 
Team RADIX -- Camisade LLC
http://www.camisade.com
Application Security Innovations
Camisade Direct: 1.800.709.1241