lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050614102345.4797.qmail@securityfocus.com>
Date: 14 Jun 2005 10:23:45 -0000
From: lsth75@...mail.com
To: bugtraq@...urityfocus.com
Subject: Local privilege escalation using runasp V3.5.1


Hi list,

Just found an implementation bug in MAST RunAsP.exe v3.5.1 and below, 
that allows local privilege escalation. 

Vendor: MAST-Computer
Homepage of product : http://www.mast-computer.com/c_9-s_7-l_en.html

Description of product:
For Windows 2000, Windows XP 
RunAs Professional is a substitute for Microsoft's command runas.
RunAs Professional solves the problem that
normal runas does not support the commandline
parameter password. 

Now you can use RunAs Professional to install
 software, use it in batch scripts and much more.


Bug description: 
This software uses a crypted .rap file to store
the parameters such as DOMAIN NAME/USERNAME/PASSWORD,
 PATH and EXE name
in order to do a "runas" from a script.

A normal user is able to see the exe filename just by double clicking runasp.exe and load the .rap file 
(here password is hidden)

It seems that the called exe is not CRC checked,
so it's possible for example to rename cmd.exe to the name of the original exe, so when running
 the original script ("runasp test.rap" , you'll get a nice DOS box with administrator rights.

Workaround :
Modify code to embed CRC sum in crypted file

Can anyone confirm, thx ?

Vendor not yet contacted

Regards
traxx
=======================================
==> Visit us @ www.knowledgecave.com <==
=======================================


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ