In reply, no it would not be an easy task to add commands such as those described above! The installation scripts stored in the MEUPGRD share are only used if you are performing a Batch Installation. The Push On and Pull Off installation methods do not use this approach. The installation scripts are interpreted by the Update Agent that runs on the client machine. This does indeed run under the Local System account. However, the Update Agent processes this script by interpreting its contents. Thus you can not simply add a command to run an executable program in the way that is described above. Secondly, to prevent unauthorised tampering of installation scripts, a checksum is created for each script that is generated by the Management Console. The Update Agent validates this checksum before processing the script, regardless of the update method. If the contents of the script has been altered, the generated and validated checksums will not match and the Update Agent will refuse to process the script's contents. A tampered script may be identified by the administrator running the Management Console, as the machine destined to run the tampered script will have a red cross next to it (install failed), and viewing the Installation Log will show the error message "Integrity Failure". The Update Agent also displays a dialog box on the target machine indicating the integrity failure before terminating. regards, Toralv Dirro Dr Solomon's Software Deutschland GmbH On behalf of Graham Clarke, Dr Solomon's Software Ltd, Von: Aleph One <aleph1at_private> AT mailgate am 16.06.98 23:15 GDT An: BUGTRAQat_private AT mailgate@CCMAIL Kopie: (Blindkopie: Toralv Dirro/TS/DE/DRS) Thema: Dr Solomon's - Possible Hole ---------- Forwarded message ---------- Date: Mon, 15 Jun 1998 22:37:25 +0100 From: Nemo <mnemonixat_private> To: NTBUGTRAQat_private Subject: Dr Solomon's - Possible Hole Dear All, I was looking at Dr Solomon's Management Edition Anti-virus for NT and believe some of the advise they give could leave a huge hole in the security of your network. Below is a cutting from their technical notes web page: http://www.drsolomon.com/products/avtknt/tnotes/Null.html ############################################################### Null Session Shares As part of the initial installation of Management Edition the repository is created and the following two shares are associated with it : Share Name Default Location Purpose REPO C:\NTTKME\DISKS Contains all Management Edition and Anti-Virus Toolkit components. MEUPGRD C:\NTTKME\DISKS\UPGRADES Holds installation scripts for machines being updated via Batch Installation. Batch Installations work via the Update Manager service running on the Management Server. It sends out a data packet across the network to the Management Agent running on the target machine(s). This packet indicates the name and location of the install script that the Management Agent should run to perform an update. The Management Agent performs the update by running the Update Agent. As this is being launched by an NT service, it runs under the Local System account, not the currently logged in user (if there is one). The Local System account does not normally have access to information across the network via a share. This would normally mean that it is unable to access the install scripts in the MEUPGRD share. The solution is to create what is termed a "Null Session Share". This is done automatically when Management Edition creates the repository. If the user inadvertently deletes and re-creates the share they must check that the null session share is still active. This is done via REGEDT32.EXE. Check for the following key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServ er\Parameters \NullSessionShares One of the values it should contain is MEUPGRD. The share itself should also be set to Full Control for Everyone. ############################################################### ######### The last sentence is the crux of the issue here. This null session share is on the server and the "everyone" group has full control. This means that anyone can edit the files in this share. Wouldn't it be an easy task to add the following commands : net user password jsmith /add net localgroup administrators jsmith /add (or equiv) Because the clients are running the scripts in the MEUPGRD with system privs the jsmith account will be created and added to the local admins group......then the attacker has every single NT client on your LAN to play with. Thoughts? Comments?
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:58:35 PDT