COMMAND

    (R)RAS

SYSTEMS AFFECTED

    Win NT 4.0

PROBLEM

    Credit for following info  goes to Lisa O'Connor,  Martin Dolphin,
    Joe Greene  and Eric  Schultze.   Windows NT  allows users to save
    their RAS credentials by  using the 'Save Password'  checkbox when
    making a  dial-up connection.   Credentials saved  in this  manner
    are stored in the following registry key:

        HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\RasCredentials!SID#0

    These credentials can  be enumerated using  the LSA secrets  code.
    (As identified by Paul Ashton in a prior submission to NTBugtraq).

    If a user does not  check the 'save password' checkbox  to prevent
    the password from being stored, RAS will STILL save the successful
    connection information, including the password, in the

        HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\RasDialParams!SID#0

    registry key.  This can be enumerated using the LSA secrets  code.
    NOTE:   Administrator  privileges  are  needed  to execute the LSA
    secrets code.

    It  is  beleived  this  behavior  exists  so  that  Windows NT can
    automatically  re-establish  a  dial-up  session  that  has   been
    unexpectedly terminated.  In order to "re-dial",  Windows NT needs
    to maintain the  RAS credentials for  automatic re-authentication.
    It is also believed that Windows NT uses the RasDialParams key  to
    maintain the  RAS credentials  for just  this purpose  (instead of
    maintaining them in  temporary protected memory).   Unfortunately,
    the credentials are  not cleared from  this key after  the session
    is properly terminated.

    The following scenarios  are some potential  areas where we  think
    this  behavior  could  give   access  to  username  and   password
    information that couldn't be gained from the NT SAM:

    1) A user may have a dial-up ISP account with an account name  and
       password that is separate from their local\domain NT account.

    2) Users may have RAS/PPTP access to domains other than the domain
       that the  user is  a member  of, also  not stored  in the  SAM.
       (Vendor connections, non-trusted domains, etc)

    3) If  an  Administrator  attempting  to troubleshoot or set-up  a
       users workstation  needs to  dial in  from the  workstation and
       doesn't click the 'save password'   box, then he/she should  be
       able to  assume that  his password  will not  be saved  on that
       users workstation.

    4) Windows  NT  'public  access'  machines,  such as the  machines
       available at training classes, airports, etc..

    Simple exploit is  to log on  as a user,  identify the SID  of the
    user using getsid or  any other means.   Use the LSA secrets  code
    to dump the RasDialParams and RasCredentials for the user.  Create
    a new dial  up networking connection.   DO NOT save  the password.
    After  successfully  connecting  to  the  remote  end, re-dump the
    RasDialParams  and  RasCredentails  entries.   The  new successful
    connection password will be saved in the RasDialParams value  even
    though you didn't check the 'save password' box.

    Dieter  Goepferich  reported   it  in  Heise   Online,  a   German
    publication with an exploit:

        http://www.heise.de/newsticker/data/cp-12.04.99-000/
        http://www.heise.de/newsticker/data/hos-15.04.99-000/

SOLUTION

    Microsoft highly recommends that customers evaluate the degree  of
    risk that this vulnerability poses to their systems and  determine
    whether to download and install the patch.  The patch can be found
    at:

    - RAS:
        ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/Hotfixes-PostSP5/RASPassword-fix/
    - RRAS:
        ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/Hotfixes-PostSP5/RRASPassword-fix/