---------- Forwarded message ---------- Date: Mon, 15 Jun 1998 22:37:25 +0100 From: Nemo <mnemonixat_private> To: NTBUGTRAQat_private Subject: Dr Solomon's - Possible Hole Dear All, I was looking at Dr Solomon's Management Edition Anti-virus for NT and believe some of the advise they give could leave a huge hole in the security of your network. Below is a cutting from their technical notes web page: http://www.drsolomon.com/products/avtknt/tnotes/Null.html ############################################################### Null Session Shares As part of the initial installation of Management Edition the repository is created and the following two shares are associated with it : Share Name Default Location Purpose REPO C:\NTTKME\DISKS Contains all Management Edition and Anti-Virus Toolkit components. MEUPGRD C:\NTTKME\DISKS\UPGRADES Holds installation scripts for machines being updated via Batch Installation. Batch Installations work via the Update Manager service running on the Management Server. It sends out a data packet across the network to the Management Agent running on the target machine(s). This packet indicates the name and location of the install script that the Management Agent should run to perform an update. The Management Agent performs the update by running the Update Agent. As this is being launched by an NT service, it runs under the Local System account, not the currently logged in user (if there is one). The Local System account does not normally have access to information across the network via a share. This would normally mean that it is unable to access the install scripts in the MEUPGRD share. The solution is to create what is termed a "Null Session Share". This is done automatically when Management Edition creates the repository. If the user inadvertently deletes and re-creates the share they must check that the null session share is still active. This is done via REGEDT32.EXE. Check for the following key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters \NullSessionShares One of the values it should contain is MEUPGRD. The share itself should also be set to Full Control for Everyone. ######################################################################## The last sentence is the crux of the issue here. This null session share is on the server and the "everyone" group has full control. This means that anyone can edit the files in this share. Wouldn't it be an easy task to add the following commands : net user password jsmith /add net localgroup administrators jsmith /add (or equiv) Because the clients are running the scripts in the MEUPGRD with system privs the jsmith account will be created and added to the local admins group......then the attacker has every single NT client on your LAN to play with. Thoughts? Comments? Mnemonix http://www.users.globalnet.co.uk/~mnemonix
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:58:01 PDT