Bugtraq mailing list archives
Re: :MSTASK Thread
From: "J. Nickson" <j () RONINSG COM>
Date: Sat, 16 Dec 2000 12:08:30 -0500
MSTASK.EXE is evident on Windows 98 se y2k.
From looking at its internals I expect it also shipped on Windows 95 PLUS
(the add on package for Windows 95 that let it work, sort of). One might expect it on most Win systems. That MSTASK is a task scheduler can be verified by opening the C:\WINDOWS\HELP\MSSTASK.CHD file, or looking at the ASCII inside C:\WINDOWS\SYSTEM MSTASK.EXE or MSTASK.DLL. A task scheduler with a minimum time discrimination of one day is an awesome thing to consider. (attempted sarcasm). In MSTASK.CHD there is a helpful note on how to view and alter scheduled tasks on (from) remote computers. This should be very helpful for administrators, worms and exploiters. This method relies on the PWL files for security. Win 98 seems to work fine without MSTASK. Slightly less comatose boots, too. One can move the MSTASK files into a holding area, such as \WINDOWS\GARBAGE (then compress it, like ZIP, to remove obvious traces from hostile file searches. Better still, make a Zip drive of removed garbage, kept for when Windows crashes next. That leaves the System Registry. Whenever I am working with the Windows Registry I feel as I imagine an FBI Special Agent might feel when they have to look through a dump for forensic evidence, something like "I went to law school to go through this garbage?" I have an advantage: the stink is only metaphorical. One system had these elements in the Registry: -------------------------------------------------------- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "SchedulingAgent"="mstask.exe" [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{DD2110F0-9EEF-11cf-8D8E-00AA0060 F5BF}\InProcServer32] @="C:\\ND\\SYSTEM\\mstask.dll" [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{797F1E90-9EDD-11cf-8D8E-00AA0060 F5BF}\InProcServer32] @="C:\\ND\\SYSTEM\\mstask.dll" [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{148BD520-A2AB-11CE-B11F-00AA0053 0503}\DefaultIcon] @="C:\\ND\\SYSTEM\\mstask.dll,-101" [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{148BD520-A2AB-11CE-B11F-00AA0053 0503}\InProcServer32] @="C:\\ND\\SYSTEM\\mstask.dll" [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{255b3f60-829e-11cf-8d8b-00aa0060 f5bf}\DefaultIcon] @="C:\\ND\\SYSTEM\\mstask.dll,-102" [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{255b3f60-829e-11cf-8d8b-00aa0060 f5bf}\InProcServer32] @="C:\\ND\\SYSTEM\\mstask.dll" [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{148BD52A-A2AB-11CE-B11F-00AA0053 0503}\DefaultIcon] @="C:\\ND\\SYSTEM\\mstask.dll,0" [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{148BD52A-A2AB-11CE-B11F-00AA0053 0503}\InProcServer32] @="C:\\ND\\SYSTEM\\mstask.dll" [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{D6277990-4C6A-11CF-8D87-00AA0060 F5BF}\DefaultIcon] @="C:\\ND\\SYSTEM\\mstask.dll,-100" [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{D6277990-4C6A-11CF-8D87-00AA0060 F5BF}\InProcServer32] @="C:\\ND\\SYSTEM\\mstask.dll" -------------------------------------------------------------- I expect the data like "@="C:\\ND\\SYSTEM\\mstask.dll,-100"" is a RUNDLL command. The MSTASK.DLL seems to be a default memory load. For *nix types, RUNDLL is a MS method of running a DLL (library) without a main program. How to use RUNDLL is web-documented. e.g. support.microsoft.com/support/kb/articles/q164/7/87.asp Seems like a great avenue for exploits particularly if the DLL is memory resident and requires no file I/O. The number of DLLs that are memory resident is awesome, baroque, hairball. If anyone wants to look in their own registry: REGEDIT and export to REGSAV.REG then the QBASIC (faster than doing a C task and I don't have a PERL handy here) is: OPEN "regsav.reg" FOR INPUT AS #1: OPEN "regd.txt" FOR OUTPUT AS #2 DO WHILE NOT EOF(1) LINE INPUT #1, a$: a$ = LCASE$(LTRIM$(a$)) IF LEFT$(a$, 1) = "[" THEN lhead$ = a$ IF INSTR(a$, "mstask") THEN PRINT #2, : IF a$ <> lhead$ THEN PRINT #2, lhead$ PRINT #2, a$ END IF LOOP: CLOSE : END --- Yeah, well, with MSTASK removed from KEY_LOCAL_MACHINE \Software \Microsoft \Windows \CurrentVersion \RunServices The system still seems to run fine. Comments from a more knowledgeable registry dumpster diver would be appreciated. Summary: Apparently MSTASK may be removed. Doing so is recommended to decrease vulnerability on Windows systems. Apparently MSTASK is a key component for remote administration. Once an exploit(er) arrives at a user with admin. rights, the rest of the computers who allow that user remote admin. would seem to be wide open. Brute force attempts to an exposed workstation might bear fruit. There also would appear to be a non-trivial risk with MSTASK.DLL use by worms. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jay Nickson, Ronin Software Grp. www.roninsg.com West Chesterfield, New Hampshire 603-256-8055
Current thread:
- Re: :MSTASK Thread J. Nickson (Dec 18)