Microsoft KB Archive/242294

= MS99-041: Security Descriptor Allows Privilege Elevation on Remote Computers =

Article ID: 242294

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Windows NT Server 4.0, Terminal Server Edition
 * Microsoft Windows NT Workstation 4.0 Developer Edition
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT Server 4.0 Enterprise Edition

-



This article was previously published under Q242294



SYMPTOMS
A malicious user may be able to cause a different program to run in place of Rasman. Significantly, this program would run in the System context and allow the program to take almost any action on the computer.



CAUSE
This behavior occurs because the security descriptor that secures the Rasman.exe file contains inappropriate Access Control Entries (ACEs) in its Discretionary Access Control List (DACL). The incorrect ACE could allow an unprivileged user to change Rasman's operating parameters (including the location of the Rasman executable file) using Service Control Manager.



RESOLUTION
Microsoft has released a tool to reset the permissions to the appropriate value.

Windows NT 4.0
A supported fix that corrects this problem is now available from Microsoft, but has not been fully regression tested and should be applied only to systems determined to be at risk of attack. Please evaluate your system's physical accessibility, network, and Internet connectivity, and other factors to determine the degree of risk to your system. If your system is sufficiently at risk, Microsoft recommends that you apply this fix. Otherwise, wait for the next Windows NT 4.0 service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

This hotfix has been posted to the following Internet location as Fixrasi.exe (x86) and Fixrasa.exe (Alpha):

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postsp6/security/rasman-fix/

NOTE: If you run this file on a computer that cannot connect to the IPC$ share on the remote computer or if the credentials of the logged on user do not have administrative privileges on the remote computer, you may receive an error message stating that RasMan was not fixed.

Terminal Server Edition
To resolve this problem, either obtain the hotfix referenced in this section or the Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package (SRP). For additional information about the SRP, click the article number below to view the article in the Microsoft Knowledge Base:

317636 Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that you determine are at risk of attack. Evaluate the computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to the computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This hotfix may receive additional testing. If the computer is sufficiently at risk, we recommend that you apply this hotfix now.

To resolve this problem immediately, download the hotfix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question. This hotfix has been posted to the following Internet location as Fixrasi.exe (x86) and Fixrasa.exe (Alpha):

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postsp6/security/rasman-fix/

NOTE: The files in the above folder run on Windows NT Server 4.0, Terminal Server Edition, too.

NOTE: If you run this file on a computer that cannot connect to the IPC$ share on the remote computer or if the credentials of the logged on user do not have administrative privileges on the remote computer, you may receive an error message stating that RasMan was not fixed.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
You can use the Rasman tool to manage dial-up connections. The vulnerability has nothing to do with Rasman itself; the vulnerability occurs because there is an opportunity for a malicious user to cause other code to run in place of Rasman.

You can use Service Control Manager (SCM) to create or modify system services. Security descriptors control access to operating system objects. Services (including Rasman) are among the objects to which security descriptors apply. A security descriptor includes a DACL. A DACL is a list of ACEs. Each ACE specifies the particular rights that one user or group has with respect to the object. The DACL therefore comprises the entire list of rights that all users and groups have with respect to the object.

Like other services, Rasman's DACL should only allow administrators to manage Rasman. However, there is an erroneous ACE in the DACL for Rasman, which allows any user to manage Rasman using Service Control Manager. A malicious user could exploit this situation.

A malicious user could request a change in the location and name of the program for the service. By doing so, a malicious user could substitute any arbitrary program for the legitimate service, which could be run in a System context. This vulnerability can be exploited remotely and this issue does not occur accidentally.

The privileges that a user could gain depend on the specific computer that is compromised. If a workstation is compromised, the malicious user gains complete control of the workstation, but cannot directly use this vulnerability to extend control to other computers. However, if a critical computer (for example, a domain controller) is attacked, the malicious user could gain control of the entire network.

There is no vulnerability in Remote Access Service (RAS) functionality. This problem results because of inappropriate permissions on a registry key; it is coincidental that the registry key is associated with the RAS service. RAS itself, including its security features, is not affected by this vulnerability.

For related information on this problem, please visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS99-041.mspx

For additional security-related information about Microsoft products, please visit the following Microsoft Web site:

http://www.microsoft.com/security/

Additional query words: security_patch

Keywords: kbhotfixserver kbqfe kbbug kbfix kbsectools kbsecurity KB242294

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.