Re: RFP9903: AeDebug vulnerability

[deuelpm () HERON TC CLARKSON EDU (Pete Deuel)]

At 12:25 AM 10/2/99 -0500, .rain.forest.puppy. wrote:
> > the following
> > registry key holds the program to execute as a debugger:
>
> > \HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
> >     \AeDebug\Debugger

As a matter of course, I nuke the whole AEDebug key. Try it.
<usual disclaimers apply, YMMV> :)

I started doing this when some programmers on a software development
team at a largely [respected|hated] chip company I used to work for ran
into some walls when their software kept causing Dr. Watsons, even
though their code seemed good. They went up the chain with premium
corporate Microsoft support, at every step "the code looked good."  One
day, a test engineer turned Dr. Watson off (by blanking the AEDebug
keys) and the problem went away. If the problem were anything else,
you'd get a plain vanilla GPF-like error box in place of the Dr. Watson
dialog.

So, now that we're into NT4SP5 some years later, things still just
"seem" better on NT w/o Dr. Watson. I've never experienced any
ill-effects of nuking that key, now I'm glad that I always do. I guess
what goes around comes around: it was bad to leave debugging on in
finger, it is bad to enable debugging in sendmail, so to it is bad to
enable debugging in a production NT server. "Thou shalt not leave a
Debugger going."  :)

That really cuts this whole issue away, right? All this time I was being
more secure and I didn't even know it...

> True, but you have to get something to crash that is running as a
> higher-level user than you are.

Ahem. If I even begin to list the things, I'll never stop.  <g>

Pete

--
"call this number. 1-800-578-7453. It's the customer service line for
 Brown & Williamson (tobacco). I'm not sure what they're smoking..."
-Jon