Bugtraq mailing list archives
Re: RFP9903: AeDebug vulnerability
From: matt () USE NET (Matt)
Date: Mon, 4 Oct 1999 12:46:48 -0700
On Sat, 2 Oct 1999, .rain.forest.puppy. wrote:
----[ 1. Scope of problem Let me start off with the mechanism has been discussed before. In light of the recent RASMAN remote registry fiasco, I took a quick check and found another similar issue. In all my NT SP5 installs, plus various other occasions (installation of Visual Studio 5 or 6, etc), the following registry key holds the program to execute as a debugger: \HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion \AeDebug\Debugger ...as well as a key that indicates whether or not to prompt the user to run the debugger on system crash: \HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\auto
Some additional information: The Security Configuration Manager (SCM) that comes with NT 4.0 SP4 has the aforementioned insecure permissions in the basicdc4, basicsv4, and basicwk4 configuration profiles. The comp4dc profile also contains insecure permissions for this key, the 'Authenticated Users' group has Set Value permissions on this key (permissions for the 'Everyone' group have been removed entirely). All other SCM profiles set semi-secure permissions on this regkey. Why anyone would need Set Value permission on this key other than Administrators is beyond me. The recommended permissions would be that only the local Administrator group has the Set Value ability. This vulnerability affects NT 4.0 SP3-SP5, and Win2k RC1. -- I WAS HALLUCINATING ELVIS
Current thread:
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Eric Griffis (Sep 30)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Dan Astoorian (Oct 01)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Jeff Long (Oct 04)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Valdis.Kletnieks () VT EDU (Oct 01)
- Team Asylum: iHTML Merchant (Follow-up) Team Asylum (Oct 01)
- RFP9903: AeDebug vulnerability .rain.forest.puppy. (Oct 01)
- Re: RFP9903: AeDebug vulnerability Matt (Oct 04)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Pavel Kankovsky (Oct 02)
- Buffer Overflows and Remote Root Exploits Crispin Cowan (Oct 02)
- (no subject) Dennis Conrad (Oct 03)
- Re: Sample DOS against the Sambar HTTP-Server Steve (Oct 06)
- Re: Sample DOS against the Sambar HTTP-Server Dennis Conrad (Oct 08)
- Re: Sample DOS against the Sambar HTTP-Server syz (Oct 09)
- Re: Sample DOS against the Sambar HTTP-Server Steve (Oct 06)
- <Possible follow-ups>
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Dan Astoorian (Sep 30)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Casper Dik (Oct 01)
- RFP9904: TeamTrack webserver vulnerability .rain.forest.puppy. (Oct 02)
- Fix for ssh-1.2.27 symlink/bind problem Scott Gifford (Oct 02)
(Thread continues...)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Dan Astoorian (Oct 01)