发布时间 :1999-09-17 00:00:00
修订时间 :2008-09-09 00:00:00

[原文]The security descriptor for RASMAN allows users to point to an alternate location via the Windows NT Service Control Manager.

[CNNVD]NT RASMAN权限升级漏洞(CNNVD-199909-036)

        RASMAN安全描述符存在漏洞。用户可以借助Windows NT服务控制管理器指向备用位置。

- CVSS (基础分值)

CVSS分值: 9 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]

- CWE (弱点类目)

CWE-16 [配置]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_nt:4.0:sp5Microsoft Windows 4.0 sp5
cpe:/o:microsoft:windows_nt:4.0:sp3Microsoft Windows 4.0 sp3
cpe:/o:microsoft:windows_nt:4.0:sp1Microsoft Windows 4.0 sp1
cpe:/o:microsoft:windows_nt:4.0:sp4Microsoft Windows 4.0 sp4
cpe:/o:microsoft:windows_nt:4.0Microsoft Windows NT 4.0
cpe:/o:microsoft:windows_nt:4.0:sp2Microsoft Windows 4.0 sp2

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  MS  MS99-041;%5BLN%5D;Q242294
(UNKNOWN)  MSKB  Q242294

- 漏洞信息

高危 设计错误
1999-09-17 00:00:00 2006-04-19 00:00:00
        RASMAN安全描述符存在漏洞。用户可以借助Windows NT服务控制管理器指向备用位置。

- 公告与补丁

        Microsoft has released a tool that will set proper permissions over the HKEY_Local_Machine/SYSTEM/CurrentControlSet/Services/RASMan key
        The Post SP6 Rasman-fix tool can be downloaded from
        This tool may be executed against any NT host, regardless of the current Service Pack level. The tool may be executed against a remote machine using the syntax: "fixrasi \\machinename" (without the quotes).

- 漏洞信息 (19502)

Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4/SP5 RASMAN Privilege Escalation Vulnerability (EDBID:19502)
windows local
1999-09-17 Verified
0 Alberto Rodríguez Aragonés
N/A [点击下载]

Any authenticated NT user (ie domain user) can modify the pathname for the RASMAN binary in the Registry. The next time the RAS Service is started, the (trojan) service referenced by the RASMAN pathname will be executed with system privileges. This trojan service may allow the User to execute commands on the target server as an administrator, including elevating the privileges of their own account to that of Administrator. A modified (UNC) pathname may be used to point to an executable existing on another host on the network. 

19502-1.exe <binary pathname> will modify the RASMAN/ImagePath key in the Registry with the service executable to be run in its place. 19502-2.exe (author supplied) is a sample trojan service that may be run. This executable runs a service which launches a netcat listener on tcp port 123. (nc -d -L -p 123 -e cmd.exe). (This service may or may not run with errors.)		

- 漏洞信息

Microsoft Windows NT RASMAN Path Subversion Privilege Escalation
Context Dependent Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

1999-09-17 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete