Bugtraq mailing list archives
Re: Update to ODBC/RDS vulnerabilities
From: dleblanc () MICROSOFT COM (David LeBlanc)
Date: Wed, 22 Sep 1999 13:38:17 -0700
-----Original Message----- From: rfp () WIRETRIP NET [mailto:rfp () WIRETRIP NET]
the permissions on these registry keys are Everyone -> Special Access, which includes Set Value. This basically means domain users can remotely disable handler and sandbox restrictions by changing the values of these keys. Hmmm. I've tested this, and it worked as expected.
You did your testing as an administrator on the machine. Network permissions for the registry are governed by the permissions on HKLM\System\CCS\Control\ SecurePipeServers\winreg, and by the 'Machine' value in the AllowedPaths key below it. Default permissions for winreg key allow only admins to access the registry remotely. Exceptions to this are the AllowedPaths, which are governed by the permissions on the keys themselves. HKLM\Software is not on the allowed paths for either the workstation or the server, so this portion of what you describe will not work remotely against a default install of Windows NT unless administrator access has already been obtained. It is also generally a good practice to place router filters in front of your internet-exposed web servers such that they cannot make outbound connections to places where they shouldn't. People who took such precautions found that things such as the .htr overflow didn't work, and would prevent your UNC path variant from working. Turning off the Server and Workstation services, as well as unbinding NetBIOS from the external interface would also prevent an attack involving an external UNC path from working.
Current thread:
- Re: Update to ODBC/RDS vulnerabilities David LeBlanc (Sep 22)
- <Possible follow-ups>
- Re: Update to ODBC/RDS vulnerabilities rfp () WIRETRIP NET (Sep 22)