Bad registry permissions on NT allows users to defeat security restrictions
Description: | Users can set registry settings like HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to run programs at startup in a heightened security context. |
Author: | Unknown (Aleph One?) |
Compromise: | heighten privileges on NT |
Vulnerable Systems: | NT 3.5, 3.51, and 4.0 default configuration |
Date: | 17 October 1997 |
Date: Fri, 17 Oct 1997 00:47:56 -0500
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Run, RunOnce and Uninstall Registry Keys Vulnerability
Resetting Default Access Controls on Selected Registry Keys
Last reviewed: October 15, 1997
Article ID: Q126713
The information in this article applies to:
* Microsoft Windows NT Workstation versions 3.5, 3.51, and 4.0
* Microsoft Windows NT Server versions 3.5, 3.51, and 4.0
IMPORTANT: This article contains information about editing the
registry. Before you edit the registry, make sure you understand how
to restore it if a problem occurs. For information about how to do
this, view the "Restoring the Registry" Help topic in Regedit.exe or
the "Restoring a Registry Key" Help topic in Regedt32.exe.
SYMPTOMS
A user with a valid user name and domain name, who also has the
right to log on locally to a Windows NT computer, can have the
system run a program on the local computer in a heightened security
context.
NOTE: The Guest account does not have access to modify the registry.
By default, Windows NT domain controllers only permit administrators
to log on and therefore are not vulnerable.
CAUSE
When a properly authenticated user logs on locally to a Windows NT
computer, that user becomes a member of the "Everyone" group. The
default permission on the keys cited below allow members of the
"Everyone" group special access, which includes the right to Set
Values or Create Subkeys. This allows members of the "Everyone"
group to create an entry under the Run and RunOnce keys that
contains the name of a program to run when the computer starts. The
Uninstall key defines the programs to run when you remove an
application.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Because there is a potential for the abuse of this level of rights,
some organizations may want to reset the permissions, as described
below in the Resolution section. A user must be logged on locally in
order to change these keys. They can be changed remotely by properly
authenticated and privileged administrators.
RESOLUTION
Resetting the permissions for these three registry subkeys to READ
resolves this issue.
WARNING: Using Registry Editor incorrectly can cause serious
problems that may require you to reinstall your operating system.
Microsoft cannot guarantee that problems resulting from the
incorrect use of Registry Editor can be solved. Use Registry Editor
at your own risk.
For information about how to edit the registry, view the "Changing
Keys And Values" Help topic in Registry Editor (Regedit.exe) or the
"Add and Delete Information in the Registry" and "Edit Registry
Data" Help topics in Regedt32.exe. Note that you should back up the
registry before you edit it.
Perform the following steps to reset the permissions:
1. Run Registry Editor (Regedt32.exe).
2. Perform the following steps on each of the registry keys
identified above:
A. On the Security menu, click Permissions.
B. Click "Replace Permissions on Existing Subkeys" so that it
is
selected.
C. Click Everyone, change the Type Of Access to Read, and then
click OK.
3. Exit Registry Editor.
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: