Re: Local privilege escalation using runasp V3.5.1

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear lsth75 () hotmail com,

--Tuesday, June 14, 2005, 2:23:45 PM, you wrote to bugtraq () securityfocus com:

lhc> Just found an implementation bug in MAST RunAsP.exe v3.5.1 and below,
lhc> that allows local privilege escalation. 


lhc> It seems that the called exe is not CRC checked,
lhc> so it's possible for example to rename cmd.exe to the name of
lhc> the original exe, so when running
lhc>  the original script ("runasp test.rap" , you'll get a nice
lhc> DOS box with administrator rights.

You  can  also  rename cmd.exe to RunAsP.exe to achieve same result. You
should never run application from untrusted location. Inability to check
file hash in this case is, may be, a leak of feature, not vulnerability.
A  vulnerability could be if user can change test.rap to execute cmd.exe
with somebody's permissions.


-- 
~/ZARAZA
http://www.security.nnov.ru/