Bugtraq mailing list archives
Re: RFP9903: AeDebug vulnerability
From: tsabin () BOS BINDVIEW COM (Todd Sabin)
Date: Tue, 5 Oct 1999 13:38:46 -0400
David LeBlanc <dleblanc () MINDSPRING COM> writes:
At 12:25 AM 10/2/99 -0500, .rain.forest.puppy. wrote:the following registry key holds the program to execute as a debugger:\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion \AeDebug\Debugger[...]This means any keys under it, including AeDebug, are accessible remotely, providing the right ACLs on the keys allow so. Well, just so happens that Everyone has Special Access to Debugger and Auto under AeDebug. Included in this Special Access is the permission to Set Value.Nope. This is NOT default. There is some strange condition involving upgrades from specific versions of NT. My own workstation had allowed users to write to this key, and it freaked me out and I thought it was a big problem. Several other people checked their machines and found that it wasn't, including some clean installs. I don't know exactly what the ins and outs are in terms of what machines will show up with this, and which ones won't, but you won't find it on all of them.
I'm pretty sure r.f.p. is correct about the default. It does allow Everyone to set values. I think I remember the thread you're talking about, and the key which you weren't sure about was ...\CurrentVersion\Image File Execution Options. The betas of NT4 had more permissive ACLs on that key than the official release. AeDebug, OTOH, does by default give Everyone the SpecialAccess r.f.p. mentioned, on all version, although I think it's fixed in the NT5 betas. Todd
Current thread:
- Re: RFP9903: AeDebug vulnerability David LeBlanc (Oct 03)
- Re: RFP9903: AeDebug vulnerability .rain.forest.puppy. (Oct 03)
- Re: RFP9903: AeDebug vulnerability Pete Deuel (Oct 05)
- NetScreen Brain-deadness... Ash (Oct 05)
- RH6.0 local/remote command execution Neezam Haniff (Oct 06)
- Re: RH6.0 local/remote command execution D (Oct 08)
- tcpdump under RedHat 6.1 Renaud Deraison (Oct 09)
- Re: NetScreen Brain-deadness... Dave McPike (Oct 06)
- RH6.0 local/remote command execution Neezam Haniff (Oct 06)
- Re: RFP9903: AeDebug vulnerability Stefan Norberg (Oct 06)
- <Possible follow-ups>
- Re: RFP9903: AeDebug vulnerability Todd Sabin (Oct 05)
- Re: RFP9903: AeDebug vulnerability David LeBlanc (Oct 05)
- Re: RFP9903: AeDebug vulnerability Joe Melhado (Oct 06)
- Re: RFP9903: AeDebug vulnerability Enno Rey (Oct 07)