Dear lsth75@xxxxxxxxxxx, --Tuesday, June 14, 2005, 2:23:45 PM, you wrote to bugtraq@xxxxxxxxxxxxxxxxx: lhc> Just found an implementation bug in MAST RunAsP.exe v3.5.1 and below, lhc> that allows local privilege escalation. lhc> It seems that the called exe is not CRC checked, lhc> so it's possible for example to rename cmd.exe to the name of lhc> the original exe, so when running lhc> the original script ("runasp test.rap" , you'll get a nice lhc> DOS box with administrator rights. You can also rename cmd.exe to RunAsP.exe to achieve same result. You should never run application from untrusted location. Inability to check file hash in this case is, may be, a leak of feature, not vulnerability. A vulnerability could be if user can change test.rap to execute cmd.exe with somebody's permissions. -- ~/ZARAZA http://www.security.nnov.ru/