Bugtraq mailing list archives
Re: ISS Security Alert
From: dleblanc () MINDSPRING COM (David LeBlanc)
Date: Thu, 23 Oct 1997 09:32:33 -0400
At 06:26 PM 10/22/97 -0500, Aleph One wrote:
On Wed, 22 Oct 1997, X-Force wrote:ISS Security Alert October 21, 1997 Scheduler/Winlogin Keys have Incorrect Permissions[ snip ]References: http://support.microsoft.com/support/kb/articles/q126/7/13.asp http://www.infoworld.com/cgi-bin/displayStory.pl?971014.wntsecurity.htm
You might want to check your references more carefully. The KB article (posted to this list 5 days ago) talks about the Run, RunOnce, and Uninstall registry keys and the Everyone group. Ditto for the InforWorld article. At no point there is any mention to the Schedule or UserInit keys or the Server Operators group.
Yes, I know. The referenced articles refer to a much more severe permissions misconfiguration which could result in a local user becoming an administrator. The server operator permissions problem hasn't been publicly announced by MS, though they are aware of it. Although I didn't write the announcement, I think the references are because the two problems are very similar. Under most situations, this one isn't a huge problem, since there may not be any server operators - just users and admins. A server op is also normally a fairly trusted user as well. The mechanism used to gain higher access is exactly the same, however - the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon key contains a system value. If you append another .exe to the end of the value, the system will run that after it is done initializing. So the server op changes the value, reboots, and is now an admin (or whatever). I found this one sitting on a plane reading about what all the values under winlogon do, and then got to thinking about who could _write_ to that key... You could use the UserInit key to insert a trojan on a given user, and so could nail the domain admin into running something for you. Oddly enough, there is actually a setting which allows server ops to post at jobs, but from the permissions on the registry, they could have manually posted jobs (or redirected existing jobs) to begin with. BTW, if you're looking at this from a NT workstation, server ops won't resolve, and will be shown as account unknown - if you look directly at the SID, look for a RID with a value of 0x225. David LeBlanc |Why would you want to have your desktop user, dleblanc () mindspring com |your mere mortals, messing around with a 32-bit |minicomputer-class computing environment? |Scott McNealy
Current thread:
- ISS Security Alert X-Force (Oct 22)
- Re: ISS Security Alert Aleph One (Oct 22)
- BSDI termcap exploit Joseph_K (Oct 22)
- Possible SERIOUS bug in open()? Aleph One (Oct 23)
- Cute SPARC CPU bug Charles M. Hannum (Oct 24)
- Re: Cute SPARC CPU bug Dmitry Kohmanyuk Дмитрий Кохманюк (Oct 24)
- More info on SPARC CPU bug Charles M. Hannum (Oct 24)
- <Possible follow-ups>
- Re: ISS Security Alert David LeBlanc (Oct 23)