CVE-1999-0886

Vulnerability

The security descriptor (DACL) of the Remote Access Connection Manager service (RASMAN.EXE) in Windows NT 4.0 (Workstation, Server, Enterprise Edition, and Terminal Server Edition) contains an inappropriate Access Control Entry, allowing any unprivileged user with a valid logon to levy requests on the service via the Service Control Manager (SCM). Affected versions include all Windows NT 4.0 variants [1].

Exploitation

An attacker must have a valid user ID and password on the target system. If the machine allows network logon, the vulnerability can be exploited remotely. The attacker uses the SCM to change the executable path of the RASMAN service to point to arbitrary code (which may reside on a remote share). Restarting the service executes the attacker's code in a System context [1].

Impact

Successful exploitation results in arbitrary code execution in the security context of the SYSTEM account, granting the attacker complete control over the affected system. This includes the ability to install programs, view/change/delete data, or create new accounts with full user rights [1].

Mitigation

Microsoft released a tool (not a full patch) that resets the permissions to the appropriate value; it is available from the referenced security bulletin page. The tool should be run against any machine allowing unprivileged interactive or network logons. No Service Pack was available at the time of disclosure, but the tool was placed in the "Hotfixes-PostSP6" folder [1].