[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Microsoft Security Bulletin (MS99-051) (fwd)
From:       David LeBlanc <dleblanc () MINDSPRING ! COM>
Date:       1999-11-30 17:55:14
[Download RAW message or body]

At 10:09 PM 11/29/99 -0500, Jim Knoble wrote:

>: This vulnerability would primarily affect machines that allow normal users
>: to interactively log onto them. The patch eliminates this vulnerability by
>: digitally signing all AT jobs at creation time, and verifying the signature
>: at execution time.

>Is this really a solution to the problem?  It seems to me that the
>actual problem is this part

>    if a malicious user had change access to an existing file owned by
>    an administrator (it would not need to be an AT job), he or she
>    could modify it to be a valid AT job and place in the appropriate
>    folder for execution[....]

This could happen a lot of different ways.  An admin could have created a
file in the temp directory, and it got left somehow.  Although this
situation isn't ideal, there are lots of scenarios where there will exist
some junk file that isn't being used which admins own, and everyone can
change.  You'll have to do some hunting to find one, as the more important
files won't have change control granted to ordinary users.

>Isn't that true for most files to which a malicious user has `change'
>access?

Shouldn't be the case very often.

>Regardless of that, how does the patch stop malicious users from
>producing AT jobs that have valid signatures and putting them in place?

The signature is based on a unique certificate that is stored in the
private data, and only admins can access the certificate.  So your
requirement to use this method (post-fix) to become admin is to be admin.

[snip problems with getting to FAQ, etc. - I don't know why it isn't
working right]

Hope this answers at least some of your questions.


David LeBlanc
dleblanc@mindspring.com

[prev in list] [next in list] [prev in thread] [next in thread]