Two NT Registry Risks

Two NT Registry Insecurities

Reported October 20, 1997 by David LeBlanc

Systems Affected

Windows NT

The Problem

The attack was described most adequated in the ISS X-Force Security Advisory:

ISS Security Alert
October 21, 1997
Scheduler/Winlogin Keys have Incorrect Permissions

This advisory describes two similar configuration problems in the Windows NT Registry key permissions.  These vulnerabilities can allow users with Server Operator privilege to increase their access level to Administrator.

Problem 1:  Scheduler Key Has Incorrect Permissions

Affects: Windows NT

Description: The HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Schedule key controls the schedule service.  Server Operators have permission to write to this registry tree, which would allow them to manually schedule jobs to be run by the schedule service, which normally executes under the system user context.  This can be used to raise the Server Operator"s access level to Administrator.

Risk: Medium

Solution: Local Machine (GUI):  From the Start menu, choose "Run."  Type "regedt32" and click "OK."  This opens the Registry Editor.  Through the Security menu, remove write access to the Schedule key for Server Operators.

Problem 2:  Winlogon Key Has Incorrect Permissions

Affects: Windows NT

Description: The HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon key has two values which can be used to cause a process to execute upon either system bootup, or when a user logs on.  The programs pointed to by the System value run under the system user context after boot, and could be used to change a user"s rights or access level.  The UserInit value runs applications when a user logs in.  The default settings for this key allow Server Operators to write these values, either of which could be used to raise a System Operator"s access level to Administrator.

Risk: Medium

Solution: Local Machine (GUI):  From the Start menu, choose "Run."  Type "regedt32" and click "OK."  This opens the Registry Editor.  Through the Security menu, remove write access to the Winlogon key for Server Operators.

====================================================================

Caution: Care must be taken when using the Registry Editor.  If incorrect values are entered, the system may become inoperable.  Should a mistake be made when editing the registry values, the registry state can be restored to the state at the last time the system booted up.  For more information, see the Windows NT Help under the Registry section.

====================================================================

Acknowledgments: This problem was identified by David LeBlanc of ISS ([email protected]).

References:
Microsoft KB
InfoWorld Story

X-Force Vulnerability and Threat Database: http://www.iss.net/xforce

--------- Copyright (c) 1997 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert Summary electronically.  It is not to be edited in any way without express consent of X-Force.  If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please email [email protected] for permission.

Disclaimer

The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user"s own risk.

Stopping the Problem:

Follow the advice given above in the X-Force Advisory and BE SURE to read Microsoft"s Knowledge Base Article Q126713 regarding these issues.

To learn more about new NT security concerns, subscribe to NTSD.

Credit:
Reported by David LeBlanc
Posted here at NTSecurity.Net October 22, 1997

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish