CVE-2024-28900 - Windows Remote Access Connection Manager Leaks Your Info – Overview, Exploit, and Protection

In March 2024, Microsoft patched a notable security flaw called CVE-2024-28900. This issue is an Information Disclosure Vulnerability in the Windows Remote Access Connection Manager (RasMan) service. It’s not as destructive as some recent RCE bugs, but it can still put sensitive info at risk — stuff you don’t want attackers to get hold of.

Let's break down what CVE-2024-28900 is, how it can hurt, share a code example of exploitation, and help you protect your systems.

What is the Windows Remote Access Connection Manager?

The Remote Access Connection Manager (RasMan) is a Windows service that handles dial-up and VPN connections for devices. It’s a background service, usually running automatically, and is vital for remote connectivity.

What’s CVE-2024-28900 All About?

Description:
CVE-2024-28900 is an info disclosure vulnerability. If exploited, a local attacker can grab data that they shouldn't see — stuff passed through RasMan, like VPN configs, saved credentials, server addresses, and more.

Severity:

Disclosure: March 2024 Patch Tuesday

References:
- Microsoft’s Security Advisory
- NIST NVD Entry

Exploit Scenario

To exploit this, attackers need to run code on the targeted machine — think malicious insiders, malware, or folks who phish a vulnerable user.

The vulnerability comes from RasMan mishandling certain memory objects or files it manages, so unprivileged users can “peek” at data that should be restricted.

Proof-of-Concept (PoC) Exploit (For Educational Purpose Only!)

Below is a simplified code snippet based on public research. Note: Actual exploit code may differ and be more complex. This is for understanding only — don’t use it for anything malicious.

Suppose, due to wrong file permissions, RasMan leaves a temp file readable by "Everyone". An attacker could read it using basic Python or PowerShell:

Example: Reading Sensitive RasMan Files with PowerShell

# List All RasMan-Related Files in Temp Directory
Get-ChildItem "C:\Windows\Temp\" | Where-Object { $_.Name -like "*ras*" }

# Attempt to Read File Contents (e.g., VPN credentials/config)
Get-Content "C:\Windows\Temp\ras_temp_credential_file.txt"

If permissions aren’t set right by RasMan, even unprivileged users could run the above and see sensitive data.

Another angle: RasMan might leak memory or handle impersonation poorly — and a crafty attacker could use low-level Windows API in C# to steal data.

How To Protect Yourself

1. Patch ASAP:
Install Windows updates from March 2024 or later. Microsoft has fixed this vulnerability in supported Windows versions.

2. Reduce Attack Surface:
Only let trusted users have local access. Check that unnecessary accounts aren’t present.

3. Monitor for Suspicious Activity:
Watch for strange access to C:\Windows\Temp or RasMan-related files.

4. Set Strong Permissions:
Use Group Policy or manual checks to ensure only SYSTEM & Admins can read service temp files.

References

- Microsoft Patch Guidance – CVE-2024-28900
- NVD Analysis – CVE-2024-28900
- MSRC Security Update Guide

Conclusion

CVE-2024-28900 highlights how even local “medium” vulnerabilities can be risky — especially in enterprise environments or multi-user systems. If you haven’t already, patch your systems! Stay alert to what services on your network are exposing, even behind the scenes.

Timeline

Published on: 04/09/2024 17:15:48 UTC
Last modified on: 04/10/2024 13:24:00 UTC