BUILT-IN ANONYMOUS USER BACK DOOR

Aleph One (aleph1@DFW.NET)
Sat, 19 Apr 1997 21:01:17 -0500

The following is a summary of what has been discovered regarding this
vulnerability:

4/19/97
BUILT-IN ANONYMOUS USER BACK DOOR

ISS Advisory

Problem: A very serious security vulnerabiliy in Windows NT has been
discovered and knowledge of it has been made publicly available.

Affects: Any Windows NT host on a network.

Description:

An MWC exploit which demonstrates a security hole in Windows NT has been
released. The demonstration reads the registry of a remote machine, and
lists the users and shares, even if the currently logged in user has no
legitimate access to the target machine. The exploit can be obtained from
http://www.ntsecurity.com.

The source of the problem is the built-in user known as "anonymous". This
user is used by Windows NT for machine to machine communication, and was not
previously known to have access to any resources. However, now that it has
been demonstrated to be able to access Windows NT resources, it is important
to note that "anonymous" is a member of the "everyone" group.

This has a number of implications:

1) Any Windows NT machine which has NetBIOS bound to the network can have
registry information read or written to the extent that the "everyone" group
has access. The full extent of this problem will be explained below.

2) The application and system logs (but not the security logs) can also be read.

3) Any file share with access to "everyone" (which is the default) can also
be accessed.

4) Lan Manager calls can be used to enumerate all of the users on the
machine, determine which user is the administrator (even if renamed), and
list all of the shares.

The extent of the problem with the registry is as follows:

1) Most of the keys which are created on install are properly secured, even
from everyone. Under a default scenario, everyone does not have permissions
to write to most of the registry, and if they do, it is normally only to
create sub-keys, not write values. One possiblity which was raised was that
perhaps shares could be added via the registry - the default permissions
will not allow this.

It is not good thing to let an intruder read the Windows NT registry, but it
is a much more severe problem to allow it to be written.

2) Just about ANY software installed after OS install will not have correct
permissions, and are FULLY writable by everyone. It is suspected that this
is because the install scripts expect to be installing into Win95, which has
no concept of security. This has been observed with file permissions as
well. It would be _very_ possible to utilize this type of access to install
trojans, and point applications like browsers, news and mail readers at trojans.

For example:

software\Clients\mail\Exchange\shell\open\command
software\Microsoft\Windows\CurrentVersion\Internet Settings\Accepted Documents

and a number of other items which could be subverted are writable.

Solutions:

1) If a machine is directly connected to the internet, unbind NetBIOS
services from the interface connected to the internet. This would be
especially appropriate for Web and FTP servers. This is done by opening
Control Panel, Networks, and choosing the Bindings tab.

2) ISS has written a small tool which changes "everyone" to "users" for an
entire registry tree. The tool is everyone2users.exe, and is currently
available from ftp://ftp.iss.net/everyone2users.exe and
http://ntbugtraq.rc.on.ca/david.htm.

Usage of the tool is:

everyone2users [registry key to set permissions]

It is recommended that this tool be run as follows:

everyone2users software

and

everyone2users system\currentcontrolset\services

3) Evaluate the exposure of any file system shares to "everyone". This can
be done by selecting properties of a share from explorer. The Windows NT
version of the ISS Internet Scanner also detects shares which are set with
full access to everyone, and can be obtained from http://www.iss.net/eval.

It is unclear at this time how to prevent the users from being listed. It
is expected that Microsoft will be patching the problem as rapidly as they
can. It is our opinion that this is a serious vulnerability and immediate
attention should be paid to preventing an intruder from exploiting this
problem. The availability of a demo for this problem substantially reduces
the amount of time it will take before the mechanism will become well known.
There are also a number of tools which can help identify the extent to which
the everyone group has access to a host - see http://www.somarsoft.com for
several shareware tools which may be helpful.

-----------------------------------------------------------
David LeBlanc | Voice: (770)395-0150 x138
Internet Security Systems, Inc. | Fax: (404)395-1972
41 Perimeter Center East | E-Mail: dleblanc@iss.net
Suite 660 | www: http://www.iss.net/
Atlanta, GA 30328 |