COMMAND

	Microsoft Rasapi32.dll Buffer Overflow

SYSTEMS AFFECTED

	Windows 2000

PROBLEM

	In NGSSoftware Insight Security Research Advisory #NISR13062002 :
	

	Rasapi32.dll contains an unchecked buffer, essentially allowing a  local
	user to overflow any executablethat has a GUI help feature  or  connects
	to the internet. This can be used  to  obtain  system  privileges  on  a
	machine that an attacker can interactively log on to, or  to  \"Trojan\"
	a machine on which they can edit the phone book properties.
	

	

	 Details

	 =======

	

	Rasapi32.dll ships with all recent Microsoft  operating  systems,  being
	described as the \"Dial-Up  Networking  Dynamic  Linked  Library  and  a
	Remote Access API\".
	

	The overflow occurs when the code  that  parses  RAS  phonebook  entries
	runs; this can occur when a user logs on interactively, or when  a  user
	views the dial-up connection properties.  Specifically,  an  overly-long
	\'script name\'  (stored  in  the  Rasphone.pbk  file)  will  cause  the
	overflow.
	

	A possible (interactive) exploit scenario would be:
	

	 - Log on to the target machine.

	 - Create a batch file adding your account to the \"administrators\" group 

	   and paste exploit code that will run the batch file into the \'rasphone.pbk\'

	file.
	 - Log off user.

	 - When presented with the logon dialog box, select \"Log on using dial-up

	connection\".
	 - At this point an access violation occurs in Winlogon.exe executing your

	batch file with system privileges.
	

	Depending on how the exploit code is written, the  operating  system  is
	likely to \'blue screen\' at this point.
	 - After the blue screen, logon with your user name and password to access

	your system account.
	

	An interesting aspect of this overflow is that  it  exploits  the  logon
	dialog that occurs after the Secure Attention  Sequence  (Crtl+Alt+Del),
	which  is  designed  to  prevent  other  programs  or   processes   from
	intervening during authentication  (that  is,  to  prevent  trojan-horse
	programs  from  being  executed  during  the  authentication   process),
	effectively turning a defence mechanism into a security problem.
	

	Another interesting point is that on our Windows 2000 test platform  the
	overflow string was Unicode, but on our Windows XP and Windows  NT  test
	platforms the overflow string was ASCII.
	

	The overflow can also be used to \"poison\"  a  machine  such  that  the
	next time a dial-up connection  is  used,  some  exploit  code  is  run.
	Interestingly, it is possible to exploit the problem using most  windows
	applications, via the \"Internet Options\" menu item accessible via  the
	help menu. For example, to cause  the  overrun  to  occur  in  Solitaire
	(SOL.exe), open Solitaire,  select  help,  contents,  options,  internet
	options and finally connections.

SOLUTION

	NGSSoftware alerted Microsoft to these  problems  in  November  of  last
	year. Microsoft\'s advisory on this issue can be found at
	

	http://www.microsoft.com/technet/security/bulletin/MS02-029.asp

	

	Microsoft\'s advisory contains patch download information, as well as  a
	discussion of the issue.