[4791] in WWW Security List Archive
RE: Rollback attack
daemon@ATHENA.MIT.EDU (Brian Toole)
Wed Mar 12 21:30:34 1997
From: Brian Toole <btoole@oakmanor.com>
To: Fiorini Simone <fiorinis@dsdata.it>
Cc: www-security@ns2.rutgers.edu
Date: Wed, 12 Mar 1997 18:55:36 -0500
Errors-To: owner-www-security@ns2.rutgers.edu
Fiorini Simone wrote:
>I've heard about something like Rollback attack against NT based WWW
>servers.
>
>Can anyone tell me something about this ?
>
>Thanks.
>
>____________________
>Simone Fiorini
>DS DATA SYSTEMS spa
>
>fiorinis@dsdata.it
>
----
The original notification from M$
----
>Subject: !!!HOT!!! CRITICAL INFO!!! ROLLBACK UTILITY ON NT 4.0 CD!!!
>Date: Tue, 17 Sep 1996 13:42:07 -0700
>From: Mark Grossbard <markgro@MICROSOFT.com>
>
>This is a critical heads up...we have just discovered that
>inadvertently, an OEM Pre-installation Kit tool, ROLLBACK.EXE was
>included on the retail CD of both NTW and NTS 4.0. This tool removes
>the critical components of the Registry from an existing installation
>of NT and 'rolls it back' to the beginning of GUI mode setup. THERE
>IS NO RECOVERY FROM THE USE OF THIS TOOL. All Registry entries added
>by any BackOffice server application [and others] are removed along w/
>all security and accounts information. Thus, only a complete backup
>immediately prior to usage will recover the installation. Data files
>are intact along w/ file ACLs.
>
>ROLLBACK has no Help file, has no cmd line help, and in fact has no
>documentation of any kind on the CD, simply double-clicking on the EXE
>or giving the command from the console causes execution without any
>warning. The next thing you know, you are staring at the Setup screen
>and are completely down.
>
>A KB article is being rushed through and NT Program Management will
>respond ASAP. In the interim, please further disseminate this
>information within your organization as required to prevent any
>down-time.
>
>Thanks!
>
>Best regards,
>
>Mark Grossbard
>Microsoft Premier Support
------
And the article:
------
http://www.microsoft.com/kb/articles/q149/2/83.htm
SUMMARY
The Windows NT 4.0 Server and Workstation compact discs include a
utility called Rollback.exe. Rollback.exe was designed to help computer
manufacturers preinstall Windows NT 4.0, and allow end-users to do the
final configuration according to the desired role of the computer.
Running this utility will remove all registry settings
on a system and bring it back to the end of the Character Based Setup
portion of the Setup program, effectively undoing everything configured
by the GUI portion of Windows NT Setup.
------
> -----Original Message-----
> From: owner-www-security@ns2.Rutgers.EDU
> [SMTP:owner-www-security@ns2.Rutgers.EDU] On Behalf Of John Johnson
> Sent: Wednesday, March 12, 1997 7:31 AM
> To: Fiorini Simone
> Cc: www-security@ns2.rutgers.edu
> Subject: Re: Rollback attack
> Importance: High
>
> [snip]
>
> ok basically if you have a few open ports on a NT server (4.0) you can
> plat
> it this way usually there are some protected ports (below 1024) open
> these
> you can use a tool Like port lock ( Credits to The Hobbit or thats
> where i
> got it) to lock onto a port and then useing either the get.../../..
> attack
> of if port 19 is open (useing linux you can open say 40,000 ports to
> it)
> use something like the pounder attack on it and crash the machine now
> if
> you have the port lock on it will start throwing rollback.exe at the
> locked
> open port so upon reboot
> (NT runs around looking for exe's ) it accepts this rollback play and
> opens
> up the registry to all comers for reseting of the system (rollback
> is
> allso used to recover lost administrator passwords but more on this
> later)
> i know it sounds sooooo simple but hey the man asked if you dont
> beleive
> me.. look at some of the Aussie press when we did this in public at a
> sydney computor show I aint against NT ok?? i'm just tell you
> folks how
> we do it..
>
> cheers!
>
>
> John Johnson WWW http://www.novatech.net.au
>
> Tactical Director email novatech@novatech.net.au (business)
>
> NovaTech Internet Security knytmare@nectar.com.au (private)
> Australias Leading Dedicated Internet and Network Security Consultants
