[6984] in bugtraq
Re: Dr Solomon's - Possible Hole
daemon@ATHENA.MIT.EDU (Toralv Dirro)
Thu Jun 18 11:56:08 1998
Date: Thu, 18 Jun 1998 16:42:49 GMT
Reply-To: Toralv Dirro <Toralv.Dirro@DRSOLOMON.COM>
From: Toralv Dirro <Toralv.Dirro@DRSOLOMON.COM>
To: BUGTRAQ@NETSPACE.ORG
In reply, no it would not be an easy task to add commands such
as those described above!
The installation scripts stored in the MEUPGRD share are only
used if you are performing a Batch Installation. The Push On
and Pull Off installation methods do not use this approach.
The installation scripts are interpreted by the Update Agent
that runs on the client machine. This does indeed run under
the Local System account.
However, the Update Agent processes this script by interpreting
its contents. Thus you can not simply add a command to run an
executable program in the way that is described above.
Secondly, to prevent unauthorised tampering of installation
scripts, a checksum is created for each script that is
generated by the Management Console. The Update Agent
validates this checksum before processing the script,
regardless of the update method. If the contents of the script
has been altered, the generated and validated checksums will
not match and the Update Agent will refuse to process the
script's contents.
A tampered script may be identified by the administrator
running the Management Console, as the machine destined to run
the tampered script will have a red cross next to it (install
failed), and viewing the Installation Log will show the error
message "Integrity Failure". The Update Agent also displays a
dialog box on the target machine indicating the integrity
failure before terminating.
regards,
Toralv Dirro
Dr Solomon's Software Deutschland GmbH
On behalf of Graham Clarke, Dr Solomon's Software Ltd,
Von: Aleph One <aleph1@DFW.NET> AT mailgate am 16.06.98 23:15
GDT
An: BUGTRAQ@NETSPACE.ORG AT mailgate@CCMAIL
Kopie: (Blindkopie: Toralv Dirro/TS/DE/DRS)
Thema: Dr Solomon's - Possible Hole
---------- Forwarded message ----------
Date: Mon, 15 Jun 1998 22:37:25 +0100
From: Nemo <mnemonix@GLOBALNET.CO.UK>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Dr Solomon's - Possible Hole
Dear All,
I was looking at Dr Solomon's Management Edition Anti-virus for
NT and believe some of the advise they give could leave a huge
hole in the security of your network.
Below is a cutting from their technical notes web page:
http://www.drsolomon.com/products/avtknt/tnotes/Null.html
###############################################################
Null Session Shares
As part of the initial installation of Management Edition the
repository is created and the following two shares are
associated with it :
Share Name Default Location Purpose
REPO C:\NTTKME\DISKS Contains all Management
Edition and
Anti-Virus
Toolkit components.
MEUPGRD C:\NTTKME\DISKS\UPGRADES Holds installation
scripts for machines
being updated via Batch
Installation.
Batch Installations work via the Update Manager service running
on the Management Server. It sends out a data packet across the
network to the Management Agent running on the target
machine(s). This packet indicates the name and location of the
install script that the Management Agent should run to perform
an update.
The Management Agent performs the update by running the Update
Agent. As this is being launched by an NT service, it runs
under the Local System account, not the currently logged in
user (if there is one).
The Local System account does not normally have access to
information across the network via a share. This would normally
mean that it is unable to access the install scripts in the
MEUPGRD share.
The solution is to create what is termed a "Null Session
Share". This is done automatically when Management Edition
creates the repository. If the user inadvertently deletes and
re-creates the share they must check that the null session
share is still active. This is done via REGEDT32.EXE. Check for
the following key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServ
er\Parameters
\NullSessionShares
One of the values it should contain is MEUPGRD. The share
itself should also be set to Full Control for Everyone.
###############################################################
#########
The last sentence is the crux of the issue here.
This null session share is on the server and the "everyone"
group has full control. This means that anyone can edit the
files in this share.
Wouldn't it be an easy task to add the following commands :
net user password jsmith /add
net localgroup administrators jsmith /add
(or equiv)
Because the clients are running the scripts in the MEUPGRD with
system
privs the jsmith account will
be created and added to the local admins group......then the
attacker has every single NT client on your LAN to play with.
Thoughts? Comments?
