Bugtraq mailing list archives
Re: Microsoft Security Bulletin (MS99-051) (fwd)
From: dleblanc () MINDSPRING COM (David LeBlanc)
Date: Sat, 4 Dec 1999 13:42:36 -0800
At 08:17 PM 12/1/99 -0800, Kris Kennaway wrote:
On Tue, 30 Nov 1999, David LeBlanc wrote:Regardless of that, how does the patch stop malicious users from producing AT jobs that have valid signatures and putting them in place?
The signature is based on a unique certificate that is stored in the private data, and only admins can access the certificate. So your requirement to use this method (post-fix) to become admin is to be admin.
Replay attack? I read the patch description as saying that it stores a signature in the file containing the AT job, which is verified at execution time. If you can read the job file as another user, you may be able to resubmit the same job multiple times, if the signature doesn't include data which is instance-specific (e.g. the job ID).
Here's what I was told: "The ACL on an At job file denies read access to non-admins. This prevents non-admins from copying a signed At job into another admin-owned file." BTW, job ID wouldn't be sufficient - those numbers do get reused. If anyone else sees a problem with the current way it works, send mail to secure () microsoft com and/or to me - I'll do my best to follow up. Thanks for pointing this out - though it seems painfully obvious now, I hadn't thought of it on my own. David LeBlanc dleblanc () mindspring com
Current thread:
- Re: Microsoft Security Bulletin (MS99-051) (fwd) David LeBlanc (Nov 30)
- Re: Microsoft Security Bulletin (MS99-051) (fwd) Kris Kennaway (Dec 01)
- Re: Microsoft Security Bulletin (MS99-051) (fwd) David LeBlanc (Dec 04)
- Re: Microsoft Security Bulletin (MS99-051) (fwd) Kris Kennaway (Dec 01)