OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Schepers, Filip (ISS Brussels) (FSchepersISS.NET)
Date: Fri Apr 06 2001 - 04:36:00 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I apologise if this has been discussed before and I missed it (Russ, is the
    search engine on ntbugtraq broken or is it me?), anyway, here's my story:

    I was performing a lock-down of a Windows 2000 Advanced Server with Service
    Pack 1 preinstalled, when I found out that the pre-SP1 hotfix, MS00-032
    (Windows 2000 protected store vulnerability, KB article Q260219), appeared
    not to have been installed (psbase.dll version < 5.0.2195.2096), even though
    Microsoft states this hotfix is included in Windows 2000 Service pack 1.

    On the Technet Security website, Microsoft say the following about this
    hotfix: "The patch can be applied atop Windows 2000 Gold, and will be
    included in Windows 2000 Service Pack 1. However, regardless of how the
    patch is applied, keymigrt still must be run one time, to re-encrypt all its
    already in the Protected Store." (sic)

    Microsoft also states in KB article Q269428 that this hotfix was included in
    sevice pack 1
    (http://support.microsoft.com/support/kb/articles/Q269/4/28.ASP).

    After looking at the "offending" psbase.dll in the pre-SP1 hotfix and SP1,
    it shows that the dll that comes with the pre-SP1 hotfix is _newer_ than the
    dll that comes with the service pack. Also, the bulletin mentions that
    people should run the keymigrt utility that comes with the hotfix to upgrade
    protection of already installed key material to strong crypto. This utility
    is not installed with the service pack.

    Also, it is not possible to install a pre-SP1 hotfix over a SP1 system (at
    least not by simply running the hotfix executable).

    FYI, I investigated 2 SP1 systems: 1 Windows 2000 Professional with the
    strong SP1 applied directly, and a Windows 2000 Advanced Server with weak
    SP1 applied that was upgraded to strong using the strong crypto pack. I
    haven't been able to check a weak SP1 only system, and don't know what
    happens if you would apply the hotfix to a vanilla W2K, and then upgrade it
    to SP1.

    Summary of the details:
    -----------------------
    MS00-032 hotfix: psbase.dll version 5.0.2195.2096, keymigrt.exe utility -
    claims it will be included in SP1
    Win2000 SP1: psbase.dll version 5.0.2195.1600, no keymigrt utility

    Thank you for sharing your esteemed opinion.

    ============================================================================
    ====
    Filip Schepers
    fschepersiss.net
    ============================================================================
    ====