If you use those permissions it will break FrontPage and possible other
IIS compenents including, potentially IIS logging to the default
locations.
-brett Hill

> -----Original Message-----
> From: Microsoft Security Response Center
> [mailto:secureMICROSOFT.COM]
> Sent: Friday, August 03, 2001 11:45 AM
> To: win2ksecadviceLISTSERV.NTSECURITY.NET
> Subject: Re: A damaging local DoS in WinNT SP6a
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Hi All -
>
> I'd like to provide a bit more information about the issue
> discussed below. The NT4ALL program actually has little to
> do with the situation the advisory reports. In order to run,
> NT4ALL requires that the user have full permissions to the
> WINNT\system32 directory.
> Apparently, in the course of running, it corrupts a system
> file, and this results in users being unable to subsequently
> log onto the machine.
>
> The real problem here is not the NT4ALL program, but rather
> the fact that unprivileged users are able to log onto the
> machine and write to the WINNT\system32 directory. Clearly,
> if an attacker has full control over the directory in which
> system files are kept, he could render the machine inoperable
> simply by erasing the system files.
> This is why we recommend tightening the permissions on the
> \WINNT\system32 directory in Windows NT 4.0. (The default
> permissions in Windows 2000 are much stronger and don't
> require tightening). Specifically, we recommend that \WINNT
> and all children be set to:
> Administrators: Full control
> System: Full control
> Everyone:Read, with Administrators
>
> A good reference for securing Windows NT 4.0 machines is
> "Microsoft Windows NT 4.0 Security, Audit, and Control", ISBN
> 1-57231-818-x, published by Microsoft Press. Regards,
>
> Scott Culp
> Security Program Manager
> Microsoft Security Response Center
>
> - -----Original Message-----
> From: Steve [mailto:steveSECURESOLUTIONS.ORG]
> Sent: Friday, August 03, 2001 8:04 AM
> To: win2ksecadviceLISTSERV.NTSECURITY.NET
> Subject: A damaging local DoS in WinNT SP6a
>
>
> The attached advisory can also be found at:
> http://hypoclear.cjb.net/hypo_nt_dos.txt
>
> - ---
>
> [[:hypoclear security advisory:]]
>
>
> Vendor : Microsoft | http://www.microsoft.com
> Product : Windows NT SP6a (and lower?)
> Category : Local DoS
> Date : 08-03-01
>
>
> CONTENTS
> 1. Overview
> 2. Details
> 3. Exploit
> 4. Possible Solution
> 5. Vendor Response
> 6. Credits
> 7. Contact
> 8. Disclaimer
>
>
> 1. Overview:
>
> WindowsNT SP6a is subject to a local Denial of Service (DoS)
> attack, upon running "NT4ALL". This particular vulnerability
> has the potential to permanently damage the
> workstation/server, because no users are able to "log on" to
> the computer after NT4ALL is run.
>
>
>
> 2. Details:
>
> NT4ALL is a program written by 9 (nine1001yahoo.com) and was
> originaly an exploit against WindowsNT SP4. It's goal is to
> "Let all the users logon into the NT machine with any
> password they type from the local NT machine or from other
> computers in the same domain." It has been available
> publically for a few years.
>
> When running NT4ALL the user (with write access to
> /winnt/system32) can either put the computer, into NT4ALL's
> "SPECIAL" or "NORMAL" mode. Putting a WindowsNT machine
> running SP6a into SPECIAL mode and rebooting, causes the
> machine to not allow anyone (including
> Adminisrators)
> access to the computer.
>
> No login's are allowed because the NT system service
> "lsass.exe" crashes everytime the machine is rebooted and the
> login window pops-up.
>
> After attempting to repair the computer with the WindowsNT
> cd-rom the machine would allow logins, however the machine
> ran EXTREMELY slow.
> All available CPU ticks were being consumed by "SERVICES.EXE"
> and "lsass.exe".
>
> NOTE: ***If testing this vulnerability it is highly
> recommended that you backup all your data or test on an
> unused machine. In all my tests after running NT4ALL the
> computer will be virtually
> useless!***
>
> This vulnerability has the potential to be very harmful,
> because NT4ALL can run quite invisibly, and if the payload is
> attached to a self-replicating email (like many macro
> virus's), it could render a mass of workstations useless.
>
> Here are links to download NT4ALL from Packet Storm Security:
> Newer version of NT4ALL:
> http://packetstormsecurity.org/NT/hack/nt4all-101.zip
>
> Original version of NT4ALL:
> http://packetstormsecurity.org/NT/hack/nt4all.zip
>
> (All tests were done with the original version of NT4ALL)
>
>
>
> 3. Exploit
>
> Run NT4ALL once (should put the machine in SPECIAL mode).
> Note: You can run NT4ALL with the /t option to verify that
> SPECIAL mode is on. Reboot. The computer will no longer allow
> ANYONE (including
> administrators) to log in. The problem does not seem to be
> reversed no matter how many reboots are attempted.
>
> If attempting to repair the OS with the Windows NT cdrom, the
> computer will allow for logins, but run VERY slow. (All CPU
> ticks are taken by SERVICES.EXE and lsass.exe).
>
>
>
> 4. Possible Solution
>
> Disable write access to the winnt/system32/ directory for all
> users except the Adminsitrator, until a vendor solution is provided.
>
>
>
> 5. Vendor Response
>
> 07-19-01: Problem sent to the Microsoft Security Response
> Center (MSRC), securitymicrosoft.com
> They respond to the problem within a few hours.
>
> 07-23-01: After a few days of communication with MSRC they
> suggest I sent the problem to Microsoft
> Product Support Services (MPSS) because it is more
> of a stability issue.
> I sent the issue to MPSS via the URL
> http://support.microsoft.com/directory/feedback/entry.asp,
> as suggested by MSRC.
>
> 07-30-01: After no response from MPSS I resend the problem
> and state that I planed to release an advisory
> on the problem within the next few days.
>
> 08-03-01: No response has been recieved from MPSS, so this
> advisory is being released.
>
> An attempt has also been made to contact 9 about the NT4ALL
> program, after my original discovery, but he (she?) did not respond.
>
>
>
>
> 6. Credits
>
> Actual credit here goes to 9, because he (she?) wrote the
> NT4ALL program. All I did was be stupid enough to run it and
> screw up one of my systems ;-)
>
>
>
> 7. Contact
>
> Advisory written by hypoclear.
> email : hypoclearjungle.net
> home page : http://hypoclear.cjb.net
>
>
>
> 8. Disclaimer
>
> This advisory remains the property of hypoclear.
> This advisory can be freely distributed in any form.
> If this advisory is distributed it must remain in its
> entirety. Hypoclear is not responsible of any use/misuse of
> this advisory.
>
> This and all of hypoclear's releases fall under his
> disclaimer, which can be found at:
> http://hypoclear.cjb.net/hypodisclaim.txt
>
>
> _____________________________________________________________________
> ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice
> DIGEST" SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.1
>
> iQEVAwUBO2rjEo0ZSRQxA/UrAQHwiAgArFyx5FC6p8AxCzAJimKzW3fkybPkeXil
> wW4iVcRzLUJsYJpkAC446VfnqM3MkfEmouN9tY7p3l4KzHiVxdiaQ05f/sgW41g8
> PJ6IGHxOuAxQ/bGJq12lSvxKGRP4czeIPEto9c6012YNYJroxGZg3CfqPnfkdySt
> J6QljaFREzOK0BtsmZPxiotQK2cXLGkUc3gBHWt79PR4Y4N+kgxZT852cSPMFBdR
> z/b9NIYtxczruysTl2M/Ms5bCCaYfDSBNcL354BbKEhA8aOXFyK8UIhKnMqORJrc
> 7sufovgW45kj8hdIRQy7yLDZWv9pikoyDM57MDchsKacY4YxQh9zQw==
> =nZxI
> -----END PGP SIGNATURE-----
>
> _____________________________________________________________________
> ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice
> DIGEST" SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
>

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]