On Sat, 2 Oct 1999, .rain.forest.puppy. wrote: > ----[ 1. Scope of problem > > Let me start off with the mechanism has been discussed before. In > light of the recent RASMAN remote registry fiasco, I took a quick check > and found another similar issue. In all my NT SP5 installs, plus various > other occasions (installation of Visual Studio 5 or 6, etc), the following > registry key holds the program to execute as a debugger: > > \HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion > \AeDebug\Debugger > > ...as well as a key that indicates whether or not to prompt the user to run > the debugger on system crash: > > \HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\auto Some additional information: The Security Configuration Manager (SCM) that comes with NT 4.0 SP4 has the aforementioned insecure permissions in the basicdc4, basicsv4, and basicwk4 configuration profiles. The comp4dc profile also contains insecure permissions for this key, the 'Authenticated Users' group has Set Value permissions on this key (permissions for the 'Everyone' group have been removed entirely). All other SCM profiles set semi-secure permissions on this regkey. Why anyone would need Set Value permission on this key other than Administrators is beyond me. The recommended permissions would be that only the local Administrator group has the Set Value ability. This vulnerability affects NT 4.0 SP3-SP5, and Win2k RC1. -- I WAS HALLUCINATING ELVIS
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:06:35 PDT