TUCoPS :: Windows :: ciack029.htm

TUCoPS :: Windows :: ciack029.htm
Microsoft "Registry Permissions" Vulnerability

Microsoft "Registry Permissions" Vulnerability Privacy and Legal Notice CIAC INFORMATION BULLETIN K-029: Microsoft "Registry Permissions" Vulnerability March 29, 2000 17:00 GMT

PROBLEM: Vulnerabilities exist in the registry of Windows NT 4.0 platforms. These vulnerabilities involve three sets of registry keys whose default permissions are too permissive. These three key sets are not related to each other except by the fact that their permissions should be tightened. PLATFORM: Microsoft NT 4.0 Workstation, Microsoft NT 4.0 Server, Microsoft NT 4.0 Server Enterprise Edition, and Microsoft NT 4.0 Server Terminal Server Edition. DAMAGE: The permissions may allow a malicious user who could interactively log onto a target machine to: Cause code to run in a local system context, cause code to run the next time another user logged onto the same machine, or disable the security protection for a previously-reported vulnerability. SOLUTION: Apply the patch for appropriate hardware. Intel: www.microsoft.com/downloads/release.asp?ReleaseID=19172 Alpha: ww.microsoft.com/downloads/release.asp?ReleaseID=19173

VULNERABILITY The risk is medium. The intruder needs to already have access ASSESSMENT: to the system. The malicious code that is ran could elevate the users rights to Administrator.

[Start Microsoft Advisory] Microsoft Security Bulletin (MS00-008) Patch Available for "Registry Permissions" Vulnerability Originally Posted: March 09, 2000 Summary Microsoft has released a tool that installs tighter permissions on three sets of registry values in Windows NT 4.0. The default permissions could allow a malicious user to gain additional privileges on a machine that they can interactively log onto. Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq00-008.asp. Issue This vulnerability involves three sets of registry keys whose default permissions are too permissive. These permissions could allow a malicious user who could interactively log onto a target machine to: Cause code to run in a local system context. Cause code to run the next time another user logged onto the same machine. Disable the security protection for a previously-reported vulnerability. These three key sets are not related to each other except by the fact that their permissions should be tightened. A tool is available that will reset all of the affected keys to the correct default value. Affected Software Versions Microsoft Windows NT 4.0 Workstation Microsoft Windows NT 4.0 Server Microsoft Windows NT 4.0 Server, Enterprise Edition Microsoft Windows NT 4.0 Server, Terminal Server Edition NOTE: Windows 2000 is not affected by this vulnerability. Patch Availability Intel: http://www.microsoft.com/downloads/release.asp?ReleaseID=19172 Alpha: http://www.microsoft.com/downloads/release.asp?ReleaseID=19173 More Information Please see the following references for more information related to this issue. Microsoft Security Bulletin MS00-008: Frequently Asked Questions, http://www.microsoft.com/technet/security/bulletin/fq00-008.asp. Microsoft Security Bulletin MS99-025, Unauthorized Access to IIS Servers through ODBC Data Access with RDS, http://www.microsoft.com/security/bulletins/ms99-025.asp. Microsoft Knowledge Base (KB) article Q103861, INFO: Choosing the Debugger That the System Will Spawn, http://www.microsoft.com/technet/support/kb.asp?ID=103861. Microsoft Knowledge Base (KB) article Q185590, Guide To Windows NT 4.0 Profiles and Policies (Part 5 of 6), http://www.microsoft.com/technet/support/kb.asp?ID=185590. Microsoft Knowledge Base (KB) article Q184375, Security Implications of RDS 1.5, IIS 3.0 or 4.0, and ODBC, http://www.microsoft.com/technet/support/kb.asp?ID=184375. Microsoft Knowledge Base (KB) article Q184375, HOWTO: Regulate Network Access to the Windows NT Registry, http://www.microsoft.com/technet/support/kb.asp?ID=155363. Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp. Obtaining Support on this Issue This is a fully supported patch. Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/support/contact/default.asp. Revisions March 09, 2000: Bulletin Created. [End Microsoft Advisory]

CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin.

CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.

UCRL-MI-119788
[Privacy and Legal Notice]