Bugtraq mailing list archives
RFP9903: AeDebug vulnerability
From: rfp () WIRETRIP NET (.rain.forest.puppy.)
Date: Sat, 2 Oct 1999 00:25:35 -0500
--- Advisory RFP9903 --------------------------------- rfp.labs ------------ Attacker can execute remote programms under debugger context (AeDebug vulnerability) ----------------------------------- rain forest puppy / rfp () wiretrip net --- Table of contents: - 1. Scope of problem - 2. Solution - 3. Miscellaneous Updates ---------------------------------------------------------------------------- October is Octoberfest Advisory month: one rfp.labs release planned each week for the whole month of October! (Now, let's see if I can pull it off....) ----------------------------------------------------------------------------- ----[ 1. Scope of problem Let me start off with the mechanism has been discussed before. In light of the recent RASMAN remote registry fiasco, I took a quick check and found another similar issue. In all my NT SP5 installs, plus various other occasions (installation of Visual Studio 5 or 6, etc), the following registry key holds the program to execute as a debugger: \HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion \AeDebug\Debugger ...as well as a key that indicates whether or not to prompt the user to run the debugger on system crash: \HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\auto Now, the problem is very simple. First, also by default, the winreg AllowedPaths includes \HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\. This means any keys under it, including AeDebug, are accessible remotely, providing the right ACLs on the keys allow so. Well, just so happens that Everyone has Special Access to Debugger and Auto under AeDebug. Included in this Special Access is the permission to Set Value. This means these keys are remotely accessible and allow anyone to change their values. By changing their values, an attacker can set a command (or string of shell delimited commands) to execute upon a application crash/fault automatically. Now, I have not confirmed this, so I will disclaim THIS IS JUST MY THEORY, but I would think the debugger would execute with a few more priveleges than the normal user, so these commands may be run with elevated priveleges. Of course, the actual attack wouldn't commence until an application crash occured. Only if we had a way to make something crash remotely..... >:) ----[ 2. Solution There has been previous discussion on this type of vulnerability--all the way back to 1997 (found on NTBugtraq). The solution consists of two parts. First, remove \HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ from the winreg AllowedPaths key, found at: \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers \winreg\AllowedPaths This will prevent remote modification of these keys. Next, remove the Set Value and Create Subkey permission from Everyone's Special Access. This will prevent local users from modifying the keys. That's it. Very simple. ----[ 3. Miscellaneous Updates - Like I mentioned before, October is Octoberfest Advisory month. I'm going to attempt to release something every week. Hopefully you'll find the stuff worthwhile...I think there's some planned goodies. A little NT, a little unix, a little web, all good. :) - My website is narrowing completion! Many people have been wondering if I have archives of my releases, programs, research, etc. The answer is 'yes', and soon it will be made public. More information on this in the next release (next week :) - Many people have emailed me wondering about the release of version two of the RDS script. This is one of the planned releases. Gimme time to finish coding it. - You may have noticed no humor, sarcasm, or snide remarks in this advisory. Yeah, so? - Why the formal advisory numbering system and format? Well, it's really to better organize my own personal filing, really. And you'll see how it fits into my website design in a little bit. In case you're wondering, RFP9901 was the ODBC article posted May 25th, and RFP9902 was the RDS posted June 23rd? (or July 23rd). - Phrack 55 is out--good stuff. www.phrack.com Packetstorm is back. packetstorm.securify.com. Technotronic still rules. www.technotronic.com. - Practical application of one of the perl problems I talked about in Phrack 55 landed JFS $1,000 for hacking securelinux.hackpcweek.com. Congrats, JFS. --- rain forest puppy / rfp () wiretrip net ---------------- ADM / wiretrip --- Support your local security professional. Buy him/her sparcs and ciscos. --- Advisory RFP9903 --------------------------------- rfp.labs ------------
Current thread:
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Eric Griffis (Sep 30)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Dan Astoorian (Oct 01)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Jeff Long (Oct 04)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Valdis.Kletnieks () VT EDU (Oct 01)
- Team Asylum: iHTML Merchant (Follow-up) Team Asylum (Oct 01)
- RFP9903: AeDebug vulnerability .rain.forest.puppy. (Oct 01)
- Re: RFP9903: AeDebug vulnerability Matt (Oct 04)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Pavel Kankovsky (Oct 02)
- Buffer Overflows and Remote Root Exploits Crispin Cowan (Oct 02)
- (no subject) Dennis Conrad (Oct 03)
- Re: Sample DOS against the Sambar HTTP-Server Steve (Oct 06)
- Re: Sample DOS against the Sambar HTTP-Server Dennis Conrad (Oct 08)
- Re: Sample DOS against the Sambar HTTP-Server syz (Oct 09)
- Re: Sample DOS against the Sambar HTTP-Server Steve (Oct 06)
- <Possible follow-ups>
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Dan Astoorian (Sep 30)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Casper Dik (Oct 01)
- RFP9904: TeamTrack webserver vulnerability .rain.forest.puppy. (Oct 02)
(Thread continues...)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Dan Astoorian (Oct 01)