Dr Solomon's - Possible Hole

[aleph1 () DFW NET (Aleph One)]

---------- Forwarded message ----------
Date: Mon, 15 Jun 1998 22:37:25 +0100
From: Nemo <mnemonix () GLOBALNET CO UK>
To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM
Subject: Dr Solomon's - Possible Hole

Dear All,
I was looking at Dr Solomon's Management Edition Anti-virus for NT and
believe some of the advise they give could leave a huge hole in the
security of your network.

Below is a cutting from their technical notes web page:
http://www.drsolomon.com/products/avtknt/tnotes/Null.html

###############################################################

Null Session Shares


As part of the initial installation of Management Edition the repository is
created and the following two shares are associated with it :

Share Name      Default Location        Purpose
REPO            C:\NTTKME\DISKS         Contains all Management Edition and Anti-Virus
Toolkit                                         components.
MEUPGRD         C:\NTTKME\DISKS\UPGRADES Holds installation scripts for machines
being updated                                   via Batch Installation.

Batch Installations work via the Update Manager service running on the
Management Server. It sends out a data packet across the network to the
Management Agent running on the target machine(s). This packet indicates
the name and location of the install script that the Management Agent
should run to perform an update.

The Management Agent performs the update by running the Update Agent. As
this is being launched by an NT service, it runs under the Local System
account, not the currently logged in user (if there is one).

The Local System account does not normally have access to information
across the network via a share. This would normally mean that it is unable
to access the install scripts in the MEUPGRD share.

The solution is to create what is termed a "Null Session Share". This is
done automatically when Management Edition creates the repository. If the
user inadvertently deletes and re-creates the share they must check that
the null session share is still active. This is done via REGEDT32.EXE.
Check for the following key:


HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
\NullSessionShares


One of the values it should contain is MEUPGRD. The share itself should
also be set to Full Control for Everyone.

########################################################################

The last sentence is the crux of the issue here.
This null session share is on the server and the "everyone" group has full
control. This means that anyone can edit the files in this share.

Wouldn't it be an easy task to add the following commands :

net user password jsmith /add
net localgroup administrators jsmith /add

(or equiv)

Because the clients are running the scripts in the MEUPGRD with system
privs the jsmith account will
be created and added to the local admins group......then the attacker has
every single NT client on your LAN to play with.

Thoughts? Comments?

Mnemonix
http://www.users.globalnet.co.uk/~mnemonix