mistake in "Antidote for RFPoison" (fwd)

[rfp () WIRETRIP NET (.rain.forest.puppy.)]

Ok, in pure RFP style, I borked *another* release.

The only total freakin' idiot around here is me.

Luckily, I now have technical peer review for my advisories....that should
stop this from happening.

Humbly a dork,
.r.f.p.

---------- Forwarded message ----------
Date: Fri, 05 Nov 1999 23:37:14 PST
From: mike borkin <mikeborkin () hotmail com>
To: rfp () wiretrip net
Subject: mistake in "Antidote for RFPoison"

Rain Forest Puppy,

  You have no idea how weird it is to actually address this to "Rain Forest
Puppy" but after reading your diatribe on Bugtraq about being called Russ, I
ain't messing with it :-)  Anyways, I read your Antidote for RFPoison and
was implementing David LeBlanc's suggestion for a fix when I noticed an
error in the name of the key.  It should be:

\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa

rather than:

\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Current\Lsa

  Since you state that if you don't have the DWORD key named  'restrict
anonymous' you must create it, this could actually confuse someone into
creating two new keys, "Current" and "Lsa" before adding the 'restrict
anonymous' DWORD and value and thus give you no security.

  Before you say that only a total freakin' idiot who has no clue what he is
doing would make this mistake, understand that there are total freakin'
idiots like myself who do stupid things like that even though it doesn't
seem right.  Of course, every once in a while we double check and find an
understandable mistake and get to report it to people who know what they are
doing.

  I hope I am not duplicating what others are sending you about this, and
thanks for all your work in finding these vulnerabilities.

Mike

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com