Re: RFP9903: AeDebug vulnerability

[matt () USE NET (Matt)]

On Sat, 2 Oct 1999, .rain.forest.puppy. wrote:

> ----[ 1. Scope of problem
>
>       Let me start off with the mechanism has been discussed before.  In
> light of the recent RASMAN remote registry fiasco, I took a quick check
> and found another similar issue.  In all my NT SP5 installs, plus various
> other occasions (installation of Visual Studio 5 or 6, etc), the following
> registry key holds the program to execute as a debugger:
>
> \HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
>       \AeDebug\Debugger
>
> ...as well as a key that indicates whether or not to prompt the user to run
> the debugger on system crash:
>
> \HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\auto

Some additional information:
The Security Configuration Manager (SCM) that comes with NT 4.0 SP4 has
the aforementioned insecure permissions in the basicdc4, basicsv4, and
basicwk4 configuration profiles. The comp4dc profile also contains
insecure permissions for this key, the 'Authenticated Users' group has Set
Value permissions on this key (permissions for the 'Everyone' group have
been removed entirely). All other SCM profiles set semi-secure permissions
on this regkey. Why anyone would need Set Value permission on this key
other than Administrators is beyond me.

The recommended permissions would be that only the local Administrator
group has the Set Value ability.

This vulnerability affects NT 4.0 SP3-SP5, and Win2k RC1.


--
I WAS HALLUCINATING ELVIS