Re: ISS Security Alert

David LeBlanc (dleblanc@MINDSPRING.COM)
Thu, 23 Oct 1997 09:32:33 -0400

At 06:26 PM 10/22/97 -0500, Aleph One wrote:
>On Wed, 22 Oct 1997, X-Force wrote:
>
>> ISS Security Alert
>> October 21, 1997
>> Scheduler/Winlogin Keys have Incorrect Permissions
>[ snip ]
>> References:
>> http://support.microsoft.com/support/kb/articles/q126/7/13.asp
>> http://www.infoworld.com/cgi-bin/displayStory.pl?971014.wntsecurity.htm

>You might want to check your references more carefully. The KB article
>(posted to this list 5 days ago) talks about the Run, RunOnce, and
>Uninstall registry keys and the Everyone group. Ditto for the InforWorld
>article. At no point there is any mention to the Schedule or UserInit keys
>or the Server Operators group.

Yes, I know. The referenced articles refer to a much more severe
permissions misconfiguration which could result in a local user becoming an
administrator. The server operator permissions problem hasn't been
publicly announced by MS, though they are aware of it. Although I didn't
write the announcement, I think the references are because the two problems
are very similar. Under most situations, this one isn't a huge problem,
since there may not be any server operators - just users and admins. A
server op is also normally a fairly trusted user as well.

The mechanism used to gain higher access is exactly the same, however - the
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon key contains a
system value. If you append another .exe to the end of the value, the
system will run that after it is done initializing. So the server op
changes the value, reboots, and is now an admin (or whatever). I found
this one sitting on a plane reading about what all the values under
winlogon do, and then got to thinking about who could _write_ to that
key... You could use the UserInit key to insert a trojan on a given user,
and so could nail the domain admin into running something for you.

Oddly enough, there is actually a setting which allows server ops to post
at jobs, but from the permissions on the registry, they could have manually
posted jobs (or redirected existing jobs) to begin with.

BTW, if you're looking at this from a NT workstation, server ops won't
resolve, and will be shown as account unknown - if you look directly at the
SID, look for a RID with a value of 0x225.

David LeBlanc |Why would you want to have your desktop user,
dleblanc@mindspring.com |your mere mortals, messing around with a 32-bit
|minicomputer-class computing environment?
|Scott McNealy