Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: MS06-025: RRAS arbitrary code execution SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MS06-025: RRAS arbitrary code execution
MS06-025 - KB 911280

A CRITICAL vulnerability in Microsoft's Routing and Remote Access Services (RRAS). A successful exploit could allow an attacker to execute arbitrary code. In order to exploit the vulnerability remotely, an                
attacker has to be able to log in to a system first.                              
The RRAS is used to connect to Microsoft networks remotely via dial up modems. With RRAS, a user can dial up to a remote network (e.g. corporate network) and access all services on the remote network like             
connected locally. In addition, RRAS is used for various multi-protocol LAN/WAN connections via VPNs.                                                     
It is not clear how exactly the exploit would occur over a network, or what the traffic will look like. We will update this diary later once we figured it out. According to this list, RRAS uses port 1701/UDP (L2TP), 1723/TCP (PPTP), as well as protocols 47 (GRE), 51 (AH) and 50 (ESP). In particular the protocols other then TCP/UDP may not be blocked by all firewalls.                                      
For most users, the best option is to disable the service. See the bulletin on how to do this. Double check that you disabled all guest accounts or other accounts that allow connections with no or weak passwords.

Johannes Ullrich


760 Posts
Jun 13th 2006

Sign Up for Free or Log In to start participating in the conversation!