Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:821
HistoryOct 24, 2000 - 12:00 a.m.

Registry Permissions reminder - local privilege escalation on Windows NT

2000-10-2400:00:00
vulners.com
3
JSON

Howdy all,
The generic security issue of lax permissions on registry keys under Windows
NT 4 has been known for sometime (see Stephen Sutton's Windows NT Security
Guidelines http://www.trustedsystems.com/tss_nsa_guide.htm ) but here's a
"new" curtly reminder of why it is so important to do so.

Local privilege escalation can be achieved on Windows NT 4, due to weak
permissions on a registry key that controls the Microsoft Installer Service.
When a user double clicks on a valid .msi file the Microsoft Installer
Service (MSIEXEC) is started. As part of the MSIEXEC startup process it
reads in the name of the DLL set in the following registry key:

HKLM\Software\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcSer
ver32

by default, normally C:\winnt\system32\msi.dll

Once this DLL has been loaded into the address space of MSIEXEC, the
DllGetClassObject() function exported by msi.dll is called. Due to the
permissions on this registry key any user that may log on to the system
locally, can modify the value - as the Interactive user. By creating their
own DLL that exports a function called DllGetClassObject() and pointing this
key to their own DLL, rather than msi.dll they can gain complete control
over the system. For example the following code, compiled into a DLL will
give an Interactive command shell with SYSTEM privileges when the user then
double clicks on an MSI file.

#include <stdio.h>

__declspec(dllexport)int DllGetClassObject()
{
system("cmd.exe");
return 0;
}

To resolve this issue, and any others like it, ensure that only
Administrators may set regsitry key values under HKLM\Software\Clsid -
Interactive only needs the read permission. On web servers that allow
publishing it is crucial to ensure that these issues don't exist as this
attack can be lauched using ASP - for anyone interested I'll be speaking
about this as part of my talk at Blackhat (http://www.blackhat.com) in
Amsterdam on Wednesday.

Cheers,
David Litchfield
@stake http://www.atstake.com

JSON