发布时间 :2001-12-31 00:00:00
修订时间 :2008-09-05 16:26:45

[原文]** DISPUTED ** RunAs (runas.exe) in Windows 2000 stores cleartext authentication information in memory, which could allow attackers to obtain usernames and passwords by executing a process that is allocated the same memory page after termination of a RunAs command. NOTE: the vendor disputes this issue, saying that administrative privileges are already required to exploit it, and the original researcher did not respond to requests for additional information.

[CNNVD]Microsoft Windows 2000RunAs用户证书曝光漏洞(CNNVD-200112-227)

        ** 争议 **Windows 2000的RunAs (runas.exe)在内存中储存明文认证信息。攻击者可以通过执行在终止RunAs命令后分配相同内存页面的进程获得用户名和密码。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_2000::sp1:professionalMicrosoft Windows 2000 Professional SP1
cpe:/o:microsoft:windows_2000::sp2:professionalMicrosoft Windows 2000 Professional SP2

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(PATCH)  XF  win2k-runas-reveal-information(7531)
(UNKNOWN)  BID  3184
(UNKNOWN)  BUGTRAQ  20011114 RE:Radix Research Reports RADIX1112200101, RADIX1112200102, and RADIX1112200103

- 漏洞信息

Microsoft Windows 2000RunAs用户证书曝光漏洞
低危 设计错误
2001-12-31 00:00:00 2005-10-20 00:00:00
        ** 争议 **Windows 2000的RunAs (runas.exe)在内存中储存明文认证信息。攻击者可以通过执行在终止RunAs命令后分配相同内存页面的进程获得用户名和密码。

- 公告与补丁

        The fix for this vulnerability will reportedly be included in Service Pack 3.
        Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: .

- 漏洞信息

Microsoft Windows 2000 runas.exe Cleartext Authentication Information Disclosure
Local Access Required Cryptographic, Information Disclosure
Loss of Confidentiality
Exploit Unknown

- 漏洞描述

Microsoft Windows 2000 has been reported to contain a flaw that may lead to information disclosure by using the RUN AS service. Memory used by the runas.exe program is not cleared after use, and might be assigned to another program. An attacker with local privileges can reportedly gain access to this memory, potentially gaining sensitive information. However, the vendor notes that to gain access to this program and memory, one would need administrator privileges making this a non-issue.

- 时间线

2001-11-12 Unknow
Unknow Unknow

- 解决方案

The vulnerability reported is incorrect. No solution required.

- 相关参考

- 漏洞作者