Microsoft Windows 2000 RunAs service reveals sensitive information
| win2k-runas-reveal-information (7531) |  Medium Risk |
Description:
The RunAs service in Windows 2000 allows a user to run applications or services legitimately as another user. The RunAs service could allow a local attacker to obtain sensitive information. When the RunAs command is executed, the username and password used for authentication is stored in memory. Once the RunAs service has terminated, a local attacker could obtain the user's authentication information if another process that the attacker is using has been allocated the same memory page.
Consequences:
Obtain Information
Remedy:
Apply the latest Windows 2000 Service Pack (SP3 or later), when it becomes available from the Microsoft Web site. See References.
As a workaround, do no use the RunAs service.
References:
- Microsoft Corporation Web site: Service Packs.
- Team RADIX Research Report: RADIX1112200102: RunAs Sensitive Data Exposure.
- BID-3184: Microsoft Windows 2000 RunAs User Credentials Exposure Vulnerability
- CVE-2001-1517: ** DISPUTED ** RunAs (runas.exe) in Windows 2000 stores cleartext authentication information in memory, which could allow attackers to obtain usernames and passwords by executing a process that is allocated the same memory page after termination of a RunAs command. NOTE: the vendor disputes this issue, saying that administrative privileges are already required to exploit it, and the original researcher did not respond to requests for additional information.
Platforms Affected:
- Microsoft Windows 2000
Reported:
Nov 12, 2001
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net