Re: RFP9903: AeDebug vulnerability

[tsabin () BOS BINDVIEW COM (Todd Sabin)]

David LeBlanc <dleblanc () MINDSPRING COM> writes:
> At 12:25 AM 10/2/99 -0500, .rain.forest.puppy. wrote:
> > the following
> > registry key holds the program to execute as a debugger:
>
> > \HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
> >     \AeDebug\Debugger
> [...]
>
> > This means any keys under it, including AeDebug, are
> > accessible remotely, providing the right ACLs on the keys allow so.  Well,
> > just so happens that Everyone has Special Access to Debugger and Auto
> > under AeDebug.  Included in this Special Access is the permission to Set
> > Value.
>
> Nope.  This is NOT default.  There is some strange condition involving
> upgrades from specific versions of NT.  My own workstation had allowed
> users to write to  this key, and it freaked me out and I thought it was a
> big problem.  Several other people checked their machines and found that it
> wasn't, including some clean installs.  I don't know exactly what the ins
> and outs are in terms of what machines will show up with this, and which
> ones won't, but you won't find it on all of them.

I'm pretty sure r.f.p. is correct about the default.  It does allow
Everyone to set values.  I think I remember the thread you're talking
about, and the key which you weren't sure about was
...\CurrentVersion\Image File Execution Options.  The betas of NT4 had
more permissive ACLs on that key than the official release.  AeDebug,
OTOH, does by default give Everyone the SpecialAccess r.f.p. mentioned,
on all version, although I think it's fixed in the NT5 betas.

Todd