Bugtraq mailing list archives
Re: Microsoft Security Bulletin (MS99-051) (fwd)
From: dleblanc () MINDSPRING COM (David LeBlanc)
Date: Tue, 30 Nov 1999 09:55:14 -0800
At 10:09 PM 11/29/99 -0500, Jim Knoble wrote:
: This vulnerability would primarily affect machines that allow normal users : to interactively log onto them. The patch eliminates this vulnerability by : digitally signing all AT jobs at creation time, and verifying the signature : at execution time.
Is this really a solution to the problem? It seems to me that the actual problem is this part
if a malicious user had change access to an existing file owned by an administrator (it would not need to be an AT job), he or she could modify it to be a valid AT job and place in the appropriate folder for execution[....]
This could happen a lot of different ways. An admin could have created a file in the temp directory, and it got left somehow. Although this situation isn't ideal, there are lots of scenarios where there will exist some junk file that isn't being used which admins own, and everyone can change. You'll have to do some hunting to find one, as the more important files won't have change control granted to ordinary users.
Isn't that true for most files to which a malicious user has `change' access?
Shouldn't be the case very often.
Regardless of that, how does the patch stop malicious users from producing AT jobs that have valid signatures and putting them in place?
The signature is based on a unique certificate that is stored in the private data, and only admins can access the certificate. So your requirement to use this method (post-fix) to become admin is to be admin. [snip problems with getting to FAQ, etc. - I don't know why it isn't working right] Hope this answers at least some of your questions. David LeBlanc dleblanc () mindspring com
Current thread:
- Re: Microsoft Security Bulletin (MS99-051) (fwd) David LeBlanc (Nov 30)
- Re: Microsoft Security Bulletin (MS99-051) (fwd) Kris Kennaway (Dec 01)
- Re: Microsoft Security Bulletin (MS99-051) (fwd) David LeBlanc (Dec 04)
- Re: Microsoft Security Bulletin (MS99-051) (fwd) Kris Kennaway (Dec 01)