Just found an implementation bug in MAST RunAsP.exe v3.5.1 and below,
that allows local privilege escalation.
Vendor: MAST-Computer
Homepage of product : http://www.mast-computer.com/c_9-s_7-l_en.html
Description of product:
For Windows 2000, Windows XP
RunAs Professional is a substitute for Microsoft's command runas.
RunAs Professional solves the problem that
normal runas does not support the commandline
parameter password.
Now you can use RunAs Professional to install
software, use it in batch scripts and much more.
Bug description:
This software uses a crypted .rap file to store
the parameters such as DOMAIN NAME/USERNAME/PASSWORD,
PATH and EXE name
in order to do a "runas" from a script.
A normal user is able to see the exe filename just by double clicking runasp.exe and load the .rap file
(here password is hidden)
It seems that the called exe is not CRC checked,
so it's possible for example to rename cmd.exe to the name of the original exe, so when running
the original script ("runasp test.rap" , you'll get a nice DOS box with administrator rights.
Workaround :
Modify code to embed CRC sum in crypted file
Can anyone confirm, thx ?
Vendor not yet contacted
Regards
traxx
=======================================
==> Visit us @ www.knowledgecave.com <==
=======================================
Just found an implementation bug in MAST RunAsP.exe v3.5.1 and below,
that allows local privilege escalation.
Vendor: MAST-Computer
Homepage of product : http://www.mast-computer.com/c_9-s_7-l_en.html
Description of product:
For Windows 2000, Windows XP
RunAs Professional is a substitute for Microsoft's command runas.
RunAs Professional solves the problem that
normal runas does not support the commandline
parameter password.
Now you can use RunAs Professional to install
software, use it in batch scripts and much more.
Bug description:
This software uses a crypted .rap file to store
the parameters such as DOMAIN NAME/USERNAME/PASSWORD,
PATH and EXE name
in order to do a "runas" from a script.
A normal user is able to see the exe filename just by double clicking runasp.exe and load the .rap file
(here password is hidden)
It seems that the called exe is not CRC checked,
so it's possible for example to rename cmd.exe to the name of the original exe, so when running
the original script ("runasp test.rap" , you'll get a nice DOS box with administrator rights.
Workaround :
Modify code to embed CRC sum in crypted file
Can anyone confirm, thx ?
Vendor not yet contacted
Regards
traxx
=======================================
==> Visit us @ www.knowledgecave.com <==
=======================================
[ reply ]