MS06-025: RRAS arbitrary code execution
MS06-025 - KB 911280
A CRITICAL vulnerability in Microsoft's Routing and Remote Access Services (RRAS). A successful exploit could allow an attacker to execute arbitrary code. In order to exploit the vulnerability remotely, an
attacker has to be able to log in to a system first.
The RRAS is used to connect to Microsoft networks remotely via dial up modems. With RRAS, a user can dial up to a remote network (e.g. corporate network) and access all services on the remote network like
connected locally. In addition, RRAS is used for various multi-protocol LAN/WAN connections via VPNs.
It is not clear how exactly the exploit would occur over a network, or what the traffic will look like. We will update this diary later once we figured it out. According to this list, RRAS uses port 1701/UDP (L2TP), 1723/TCP (PPTP), as well as protocols 47 (GRE), 51 (AH) and 50 (ESP). In particular the protocols other then TCP/UDP may not be blocked by all firewalls.
For most users, the best option is to disable the service. See the bulletin on how to do this. Double check that you disabled all guest accounts or other accounts that allow connections with no or weak passwords.
--
Johannes Ullrich
A CRITICAL vulnerability in Microsoft's Routing and Remote Access Services (RRAS). A successful exploit could allow an attacker to execute arbitrary code. In order to exploit the vulnerability remotely, an
attacker has to be able to log in to a system first.
The RRAS is used to connect to Microsoft networks remotely via dial up modems. With RRAS, a user can dial up to a remote network (e.g. corporate network) and access all services on the remote network like
connected locally. In addition, RRAS is used for various multi-protocol LAN/WAN connections via VPNs.
It is not clear how exactly the exploit would occur over a network, or what the traffic will look like. We will update this diary later once we figured it out. According to this list, RRAS uses port 1701/UDP (L2TP), 1723/TCP (PPTP), as well as protocols 47 (GRE), 51 (AH) and 50 (ESP). In particular the protocols other then TCP/UDP may not be blocked by all firewalls.
For most users, the best option is to disable the service. See the bulletin on how to do this. Double check that you disabled all guest accounts or other accounts that allow connections with no or weak passwords.
--
Johannes Ullrich
Keywords:
0 comment(s)
×
Diary Archives
Comments