Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: :MSTASK Thread

From: "J. Nickson" <j () RONINSG COM>
Date: Sat, 16 Dec 2000 12:08:30 -0500
MSTASK.EXE is evident on Windows 98 se y2k.


From looking at its internals I expect it also shipped on Windows 95 PLUS

(the add on package for Windows 95 that let it work, sort of).  One might
expect it on most Win systems.

That MSTASK is a task scheduler can be verified by opening the
C:\WINDOWS\HELP\MSSTASK.CHD file, or looking at the ASCII inside
C:\WINDOWS\SYSTEM MSTASK.EXE or MSTASK.DLL.

A task scheduler with a minimum time discrimination of one day is an
awesome thing to consider.  (attempted sarcasm).

In MSTASK.CHD there is a helpful note on how to view and alter scheduled
tasks on (from) remote computers.  This should be very helpful for
administrators, worms and exploiters.  This method relies on the PWL files
for security.

Win 98 seems to work fine without MSTASK.  Slightly less comatose boots, too.

One can move the MSTASK files into a holding area, such as \WINDOWS\GARBAGE
(then compress it, like ZIP, to remove obvious traces from hostile file
searches.  Better still, make a Zip drive of removed garbage, kept for when
Windows crashes next.

That leaves the System Registry.  Whenever I am working with the Windows
Registry I feel as I imagine an FBI Special Agent might feel when they have
to look through a dump for forensic evidence, something like "I went to law
school to go through this garbage?"

I have an advantage: the stink is only metaphorical.

One system had these elements in the Registry:

--------------------------------------------------------
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"SchedulingAgent"="mstask.exe"

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{DD2110F0-9EEF-11cf-8D8E-00AA0060
F5BF}\InProcServer32]
@="C:\\ND\\SYSTEM\\mstask.dll"

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{797F1E90-9EDD-11cf-8D8E-00AA0060
F5BF}\InProcServer32]
@="C:\\ND\\SYSTEM\\mstask.dll"

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{148BD520-A2AB-11CE-B11F-00AA0053
0503}\DefaultIcon]
@="C:\\ND\\SYSTEM\\mstask.dll,-101"

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{148BD520-A2AB-11CE-B11F-00AA0053
0503}\InProcServer32]
@="C:\\ND\\SYSTEM\\mstask.dll"

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{255b3f60-829e-11cf-8d8b-00aa0060
f5bf}\DefaultIcon]
@="C:\\ND\\SYSTEM\\mstask.dll,-102"

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{255b3f60-829e-11cf-8d8b-00aa0060
f5bf}\InProcServer32]
@="C:\\ND\\SYSTEM\\mstask.dll"

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{148BD52A-A2AB-11CE-B11F-00AA0053
0503}\DefaultIcon]
@="C:\\ND\\SYSTEM\\mstask.dll,0"

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{148BD52A-A2AB-11CE-B11F-00AA0053
0503}\InProcServer32]
@="C:\\ND\\SYSTEM\\mstask.dll"

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{D6277990-4C6A-11CF-8D87-00AA0060
F5BF}\DefaultIcon]
@="C:\\ND\\SYSTEM\\mstask.dll,-100"

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{D6277990-4C6A-11CF-8D87-00AA0060
F5BF}\InProcServer32]
@="C:\\ND\\SYSTEM\\mstask.dll"

--------------------------------------------------------------

I expect the data like "@="C:\\ND\\SYSTEM\\mstask.dll,-100"" is a RUNDLL
command.  The MSTASK.DLL seems to be a default memory load.

For *nix types, RUNDLL is a MS method of running a DLL (library) without a
main program.  How to use RUNDLL is web-documented.  e.g.
support.microsoft.com/support/kb/articles/q164/7/87.asp

Seems like a great avenue for exploits particularly if the DLL is memory
resident and requires no file I/O.  The number of DLLs that are memory
resident is awesome, baroque, hairball.

If anyone wants to look in their own registry: REGEDIT and export to
REGSAV.REG then the QBASIC (faster than doing a C task and I don't have a
PERL handy here) is:

  OPEN "regsav.reg" FOR INPUT AS #1: OPEN "regd.txt" FOR OUTPUT AS #2
  DO WHILE NOT EOF(1)
   LINE INPUT #1, a$: a$ = LCASE$(LTRIM$(a$))
   IF LEFT$(a$, 1) = "[" THEN lhead$ = a$
   IF INSTR(a$, "mstask") THEN
     PRINT #2, : IF a$ <> lhead$ THEN PRINT #2, lhead$
     PRINT #2, a$
   END IF
  LOOP: CLOSE : END

---

Yeah, well, with MSTASK removed from
  KEY_LOCAL_MACHINE
   \Software
    \Microsoft
     \Windows
      \CurrentVersion
       \RunServices

The system still seems to run fine.   Comments from a more knowledgeable
registry dumpster diver would be appreciated.

Summary:  Apparently MSTASK may be removed.  Doing so is recommended to
decrease vulnerability on Windows systems.

Apparently MSTASK is a key component for remote administration.  Once an
exploit(er) arrives at a user with admin. rights, the rest of the computers
who allow that user remote admin. would seem to be wide open.  Brute force
attempts to an exposed workstation might bear fruit.

There also would appear to be a non-trivial risk with MSTASK.DLL use by
worms.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jay Nickson, Ronin Software Grp.   www.roninsg.com
West Chesterfield, New Hampshire 603-256-8055
Previous By Date Next
Previous By Thread Next

Current thread: