Re: Dr Solomon's - Possible Hole

[Toralv.Dirro () DRSOLOMON COM (Toralv Dirro)]

       In reply, no it would not be an easy task to add commands such
       as those described above!

       The installation scripts stored in the MEUPGRD share are only
       used if you are performing a Batch Installation.  The Push On
       and Pull Off installation methods do not use this approach.
       The installation scripts are interpreted by the Update Agent
       that runs on the client machine.  This does indeed run under
       the Local System account.

       However, the Update Agent processes this script by interpreting
       its contents.  Thus you can not simply add a command to run an
       executable program in the way that is described above.

       Secondly, to prevent unauthorised tampering of installation
       scripts, a checksum is created for each script that is
       generated by the Management Console.  The Update Agent
       validates this checksum before processing the script,
       regardless of the update method.  If the contents of the script
       has been altered, the generated and validated checksums will
       not match and the Update Agent will refuse to process the
       script's contents.

       A tampered script may be identified by the administrator
       running the Management Console, as the machine destined to run
       the tampered script will have a red cross next to it (install
       failed), and viewing the Installation Log will show the error
       message "Integrity Failure".  The Update Agent also displays a
       dialog box on the target machine indicating the integrity
       failure before terminating.


       regards,
       Toralv Dirro
       Dr Solomon's Software Deutschland GmbH

       On behalf of Graham Clarke, Dr Solomon's Software Ltd,




       Von:  Aleph One <aleph1 () DFW NET> AT mailgate am 16.06.98 23:15
             GDT

       An:    BUGTRAQ () NETSPACE ORG AT mailgate@CCMAIL
       Kopie:  (Blindkopie: Toralv Dirro/TS/DE/DRS)
       Thema: Dr Solomon's - Possible Hole


       ---------- Forwarded message ----------
       Date: Mon, 15 Jun 1998 22:37:25 +0100
       From: Nemo <mnemonix () GLOBALNET CO UK>
       To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM
       Subject: Dr Solomon's - Possible Hole

       Dear All,
       I was looking at Dr Solomon's Management Edition Anti-virus for
       NT and believe some of the advise they give could leave a huge
       hole in the security of your network.

       Below is a cutting from their technical notes web page:
       http://www.drsolomon.com/products/avtknt/tnotes/Null.html

       ###############################################################

       Null Session Shares


       As part of the initial installation of Management Edition the
       repository is created and the following two shares are
       associated with it :

       Share Name      Default Location        Purpose
       REPO            C:\NTTKME\DISKS         Contains all Management
        Edition and
       Anti-Virus
       Toolkit                                         components.
       MEUPGRD         C:\NTTKME\DISKS\UPGRADES Holds installation
       scripts for machines
       being updated                                   via Batch
       Installation.

       Batch Installations work via the Update Manager service running
       on the Management Server. It sends out a data packet across the
       network to the Management Agent running on the target
       machine(s). This packet indicates the name and location of the
       install script that the Management Agent should run to perform
       an update.

       The Management Agent performs the update by running the Update
       Agent. As this is being launched by an NT service, it runs
       under the Local System account, not the currently logged in
       user (if there is one).

       The Local System account does not normally have access to
       information across the network via a share. This would normally
       mean that it is unable to access the install scripts in the
       MEUPGRD share.

       The solution is to create what is termed a "Null Session
       Share". This is done automatically when Management Edition
       creates the repository. If the user inadvertently deletes and
       re-creates the share they must check that the null session
       share is still active. This is done via REGEDT32.EXE. Check for
       the following key:


       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServ
       er\Parameters
       \NullSessionShares


       One of the values it should contain is MEUPGRD. The share
       itself should also be set to Full Control for Everyone.

       ###############################################################
       #########

       The last sentence is the crux of the issue here.
       This null session share is on the server and the "everyone"
       group has full control. This means that anyone can edit the
       files in this share.

       Wouldn't it be an easy task to add the following commands :

       net user password jsmith /add
       net localgroup administrators jsmith /add

       (or equiv)

       Because the clients are running the scripts in the MEUPGRD with
        system
       privs the jsmith account will
       be created and added to the local admins group......then the
       attacker has every single NT client on your LAN to play with.

       Thoughts? Comments?