Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NTBugtraq> 1999-q3

NTBugtraq And NTSecurity Archives: Re: Base System Objects Expo

Re: Base System Objects Exposure?

James Fang (jfangMICROSOFT.COM)
Sun, 14 Nov 1999 14:47:10 -0800

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Jerome BARRY AUTARD: "Shutdown button on Terminal Server"
Previous message: Ussr Labs: "NetCPlus SmartServer3 POP 3.51.1 EXPLOIT"

Hello Steve,

You may want to look up
http://support.microsoft.com/support/kb/articles/q218/4/73.asp

In short, a Base System Object is a KnownDLL, which you lookup via regedit
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\KnownDLLs

The article explains the possibility of a hack, as you can read/write to
these files. These DLL's aren't locked in memory and can be swapped out,
like all EXE's and DLL's. When they are "swapped" out, they are not munged
into the page-file, but simply turned into memory mapped files. When an
application makes a call to that DLL, the VMM pulls the relevant code from a
known location (file) on the hard-disk.

The fix wasn't implemented until SP#5, so you won't be able to see the key
on pre-sp#5 machines.

As for why it was turned off, I don't know, it may have been a simple
oversight. I haven't seen any documentation stating that "having it on" is
a bad idea.

I hope this helps.

Regards,

James Fang
Microsoft South Pacific Regional Support Centre
jfangmicrosoft.com
+61 (2) 9870-2297

-----Original Message-----
From: Steve Craft (ITS_DDI) [mailto:stephen.craftMAIL.TJU.EDU]
Sent: Thursday, 11 November 1999 1:37 AM
To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
Subject: Base System Objects Exposure?

According to
http://support.microsoft.com/support/kb/articles/q244/9/95.asp ,
applying
a service pack can roll back ProtectionMode from "1" to "0" for Base
System Objects.

1.
  Has anyone seen this actually happen? I could not
  find a "1" on any system I checked. This included
  x86 SP1 and SP3 and SP4 and SP5 systems, one virgin
  AlphaAXP (SP0) NT install and one AlphaAXP SP3.

2.
  What does NT consider Base System Objects? The MSKB
  and the 3rd party docs I could find don't explicitly
  say what they are.

3.
  Are there any documented effects of/not having a
  "1" in this location? The SP application must
  roll this back for a reason...

Steve Craft
Thomas Jefferson Univ. Hospital - ITS - Desktop Development and
Integration
stephen.craftmail.tju.edu
215-503-2568 Desk Tel.
215-503-3923 Lab Tel.

Next message: Jerome BARRY AUTARD: "Shutdown button on Terminal Server"
Previous message: Ussr Labs: "NetCPlus SmartServer3 POP 3.51.1 EXPLOIT"

This archive was generated by hypermail 2.0b3 on Tue Nov 16 1999 - 14:22:44 CST