__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft "Registry Permissions" Vulnerability March 28, 2000 17:00 GMT Number K-029 ______________________________________________________________________________ PROBLEM: Vulnerabilities exist in the registry of Windows NT 4.0 platforms. These vulnerabilities involve three sets of registry keys whose default permissions are too permissive. These three key sets are not related to each other except by the fact that their permissions should be tightened. PLATFORM: Microsoft NT 4.0 Workstation, Microsoft NT 4.0 Server, Microsoft NT 4.0 Server Enterprise Edition, and Microsoft NT 4.0 Server Terminal Server Edition. DAMAGE: The permissions may allow a malicious user who could interactively log onto a target machine to: Cause code to run in a local system context, cause code to run the next time another user logged onto the same machine, or disable the security protection for a previously-reported vulnerability. SOLUTION: Apply the patch for appropriate hardware. Intel: www.microsoft.com/downloads/release.asp?ReleaseID=19172 Alpha: www.microsoft.com/downloads/release.asp?ReleaseID=19173 ______________________________________________________________________________ VULNERABILITY The risk is medium. The intruder needs to already have access ASSESSMENT: to the system. The malicious code that is ran could elevate the users rights to Administrator. ______________________________________________________________________________ [Start Microsoft Advisory] Microsoft Security Bulletin (MS00-008) Patch Available for "Registry Permissions" Vulnerability Originally Posted: March 09, 2000 Summary Microsoft has released a tool that installs tighter permissions on three sets of registry values in Windows NT 4.0. The default permissions could allow a malicious user to gain additional privileges on a machine that they can interactively log onto. Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq00-008.asp. Issue This vulnerability involves three sets of registry keys whose default permissions are too permissive. These permissions could allow a malicious user who could interactively log onto a target machine to: Cause code to run in a local system context. Cause code to run the next time another user logged onto the same machine. Disable the security protection for a previously-reported vulnerability. These three key sets are not related to each other except by the fact that their permissions should be tightened. A tool is available that will reset all of the affected keys to the correct default value. Affected Software Versions Microsoft Windows NT 4.0 Workstation Microsoft Windows NT 4.0 Server Microsoft Windows NT 4.0 Server, Enterprise Edition Microsoft Windows NT 4.0 Server, Terminal Server Edition NOTE: Windows 2000 is not affected by this vulnerability. Patch Availability Intel: http://www.microsoft.com/downloads/release.asp?ReleaseID=19172 Alpha: http://www.microsoft.com/downloads/release.asp?ReleaseID=19173 More Information Please see the following references for more information related to this issue. Microsoft Security Bulletin MS00-008: Frequently Asked Questions, http://www.microsoft.com/technet/security/bulletin/fq00-008.asp. Microsoft Security Bulletin MS99-025, Unauthorized Access to IIS Servers through ODBC Data Access with RDS, http://www.microsoft.com/security/bulletins/ms99-025.asp. Microsoft Knowledge Base (KB) article Q103861, INFO: Choosing the Debugger That the System Will Spawn, http://www.microsoft.com/technet/support/kb.asp?ID=103861. Microsoft Knowledge Base (KB) article Q185590, Guide To Windows NT 4.0 Profiles and Policies (Part 5 of 6), http://www.microsoft.com/technet/support/kb.asp?ID=185590. Microsoft Knowledge Base (KB) article Q184375, Security Implications of RDS 1.5, IIS 3.0 or 4.0, and ODBC, http://www.microsoft.com/technet/support/kb.asp?ID=184375. Microsoft Knowledge Base (KB) article Q184375, HOWTO: Regulate Network Access to the Windows NT Registry, http://www.microsoft.com/technet/support/kb.asp?ID=155363. Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp. Obtaining Support on this Issue This is a fully supported patch. Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/support/contact/default.asp. Revisions March 09, 2000: Bulletin Created. [End Microsoft Advisory] ______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), use one of the following methods to contact CIAC: 1. Call the CIAC voice number 925-422-8193 and leave a message, or 2. Call 888-449-8369 to send a Sky Page to the CIAC duty person or 3. Send e-mail to 4498369@skytel.com, or 4. Call 800-201-9288 for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) K-019: Microsoft - "Spoofed LPC Port Request" Vulnerability K-020: Majordomo open() call Vulnerability K-021: Malicious HTML Tags Vulnerability K-022: FreeBSD - Asmon/Ascpu Vulnerability K-023: FreeBSD - Delegate Proxy Server Vulnerability K-024: Microsoft Systems Management Server Vulnerability K-025: MySQL Password Authentication Vulnerability K-026: Microsoft SQL Server Admin Login Encryption Vulnerability K-027: Microsoft SQL Server and MSDE Malicious Query Vulnerability K-028: FreeBSD - Port Exploits for mh/nmh, Lynx, and mtr