COMMAND

    RAS

SYSTEMS AFFECTED

    Win NT 4.0 (up to SP5 and with it)

PROBLEM

    Mnemonix found following.   Microsoft's RAS Service on  Windows NT
    (all service packs) contains  numerous buffer overruns that  allow
    execution of  arbritary code  that can  allow an  attacker to gain
    system privilege access to the machine.

    The RAS service is  used so that remote  users may dial in  to the
    RAS  server  and  be  able  to  access  resources local to the RAS
    server or the network it is attached  to as a whole.  RAS is  also
    the service used when users wish  to dial out from an NT  machine,
    for instance, into their Internet Service Provider.  With the  RAS
    service  comes  RASSRV.EXE,  which  implements  the  Remote Access
    Server  service  and  is   used  for  accepting  incoming   calls,
    RASMAN.EXE  which  implements  the  RAS  Autodial  Manager and RAS
    Connection  Manager  services   which  are  used   to  dial   out.
    RASPHONE.EXE is the application used when a user manual dials out,
    as well as editing  the Phone Book.   RASDIAL.EXE is also used  to
    dial out.  RASSRV.EXE and RASMAN.EXE are system processes and  run
    in the security  context of the  system where as  RASPHONE.EXE and
    RASDIAL.EXE normally run in the  security context of the user  who
    starts the process.  From tests it seems that RASSRV.EXE does  not
    have this problem, however all the others do.  The buffer overruns
    occur because the RAS API functions, such as RasGetDialParams(  ),
    perform  no  bounds  checking  and  fill  structures  that contain
    character arrays.

    For instance,  when the  Autodial Manager  dials out  it uses  the
    RasDailGetParams  (  )  function  to  read  in  such things as the
    telephone  number  from  the  Phonebook,  rasphone.pbk.  It places
    these into  the RASDIALPARAMS  structure that  contains characters
    arrays.   Because   no  bounds  checking   is  performed  if   the
    rasphone.pbk  contains  an  overly  long  telephone number it will
    cause RASMAN.EXE to access violate.   If the phone number is  over
    299 characters in length we overwrite the processor's EIP and  can
    completely  change  the  programs  order  of execution and execute
    arbitary code, though more on this later.  By default rasphone.pbk
    gives Everybody  the Change  NTFS permission  meaning that  anyone
    with  access  to  this  file  may  edit its contents and cause the
    buffer overflow.  Permissions  for this file should  be tightened,
    although a  normal user  can create  their own  Phone Book for use
    with  RAS,  meaning  that,  irrespective  of  the  permissions  on
    rasphone.pbk  in  the  %systemroot%\system32\ras  directory, these
    attacks can still be performed.

    As far as impact is concerned if RASMAN.EXE is overflowed it means
    that anybody with  local access to  the machine can  gain elevated
    privileges to  Administrator level.   As far  as RASPHONE.EXE  and
    RASDIAL.EXE are  concerned these  two programs  are often  used in
    conjunction with the Scheduler Service, a system service, and  may
    also be exploited to gain access to the system.

    Further  to  this  advisory  Mnemonix  has  written  a document on
    buffer overruns in Windows  NT and their exploitation,  looking at
    RASMAN.EXE as an example.  This can be found at

        http://www.infowar.co.uk/mnemonix/ntbufferoverruns.htm

SOLUTION

    Microsoft has released a patch that eliminates a vulnerability  in
    the  Windows  NT  remote  access  service (RAS) client.  Microsoft
    highly recommends that customers evaluate the degree of risk  that
    this vulnerability poses to their systems and determine whether to
    download and install the patch. The patch can be found at:

        ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP5/RAS-fix/