The only pseudo-valid scenario that comes to mind would be (are you ready
for this?): Letting users login to Terminal Server running on a PDC with no
ACL'ing done. Certain planets would also have to be in alignment with a full
moon, high tide and a dead chicken waived over it. YMMV, batteries not
included. Oh, sorry. Back to the real world..I drifted for a moment.

In the scenario you decribed below:
If IUSR_MACHINENAME has write access to system32, you've got bigger problems
than NT4ALL. Especially if you are able to upload code and have it executed
within the context of an interactive logon (This code does not work
remotely). If I were able to upload netcat and then a trojan program, I
could do unspeakable things to the system, much worse than blowing out the
SAM of an IIS box. How many users do you normally create local accounts for
on a webserver? Not many, I would hope. You should be able to fit the repair
info on one floppy in most cases. A corrupt SAM is indeed very fixable. Ever
heard of Rdisk? Regback and a clean backup also come in handy ;-)

This is what I found most comical of all about this "advisory"

"4. Possible Solution

Disable write access to the winnt/system32/ directory for all users
except the Adminsitrator, until a vendor solution is provided."

ACL's should be applied REGARDLESS. You don't need a vendor solution for
common sense. Since we're nitpicking, if I followed this exact approach, the
system would not boot. Ever hear of the SYSTEM account? I'm pretty sure a
little bird told me once that it needs access also.

Stay tuned for an important "advisory" from my nine-year-old daughter. She's
discovered the packetstorm and technotronic archives. It seems that there's
a virtual boat-load of code up there that doesn't play well with NT.

Quick question: If I hide the keys to my wife's car, does that mean it's a
Denial of Service? Just wondering...

> -----Original Message-----
> From: Jopasc [mailto:JopascBARRYSWORLD.COM]
> Sent: Friday, August 03, 2001 1:26 PM
> To: win2ksecadviceLISTSERV.NTSECURITY.NET
> Subject: Re: A damaging local DoS in WinNT SP6a
>
>
> The advisory is regarding a DoS.....
>
> Using other exploits, such as unicode etc, an attacker could upload this
> tool to a machine and run it thus forcing the owner of the site to rebuild
> the box from scratch or restore from a backup.
>
> Therefore the advisory is valid. Using another exploit to delete needed
> NT4 boot files would have a similar effect except those files can replaced
> using a DOS / NTFS boot disk depending on the setup. A corrupt SAM is
> normally unfixable...
>

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]