NT registry has loose permissions

Vulnerability Description

Brief description: The NT registry permissions allow a user to increase privileges.

Full description: Windows NT 4.0 has some registry permissions that are too permissive. A local user with access to the machine could increase their access and cause code to be executed on the machine.

The permissions on the AEDebug key could allow a malicious user to run arbitrary code in a System context

Some permission settings on theUser Shell Folders key allows a malicious user to specify code that would run the next time any user logs onto the machine. Under default permissions, this key cannot be modified remotely unless the machine had been specifically configured to allow it.

Some permission settings on theDataFactory key and a companion key allow a malicious user to disable the protection against a previously-reported vulnerability affecting Microsoft Internet Information Server. Under default permissions, this key cannot be modified remotely unless the machine had been specifically configured to allow it.

If the keys cannot be modified remotely, the malicious user would need to be able to interactively log onto the machine that he or she wanted to attack.

Components: registry

Systems: Windows NT 4.0

Effect(s) of exploiting: The attacker gains access to the system as the user who logs in, and can execute commands from that user's startup file.

Detecting the hole:

    1. Check the settings of the keys. They should be as follows:
    1. The AEDebug key should allow authenticated users read access, and Administrator , System , and Creator Owner full access.
    2. The User Shell Folders key should allow authenticated users read access, and Administrator , System , and Creator Owner full access.
    3. The DataFactory key should allow authenticated users read access, and Administrator , System , and Creator Owner full access.
    4. The ADCLaunch key should allow authenticated users read access, and Administrator , System , and Creator Owner full access.
    5. The ADCLaunch key should allow backup operators read access, and Administrator full access.
      6. If there are looser permissions assigned to these keys then the system has this vulnerability.

Fixing the hole:

    1. Run the relevant tool to reset the keypermissions to a safe state.
    1. For Intel-based computers, use the Intel-based tool .
    2. For Alpha-based computers, use the Alpha-based tool .

Other information:

Keywords

registry permissions

Cataloguing

PA Classification(s):

RISOS Classification(s):

DCS Classification(s):

CVE Number: ##### --

Exploit Information

Attack:

Related Information

Advisories: Microsoft Security Bulletins MS00-024, Tool Available for "OffloadModExpo Registry Permissions" Vulnerability and MS 00-024, Patch Available for "Registry Permissions" Vulnerability ISS X-Force database entry nt-sp4-auth-error

Related Vulnerabilities:

Reportage

Reporting: Sergio Tabanelli in Microsoft Security Bulletin MS00-024 (April 12, 2000 )

Revision Number 1

  1. Patrick LeBlanc (6/30/2000):
    Initial entry.