COMMAND

    COM and DCOM

SYSTEMS AFFECTED

    Win2000

PROBLEM

    Mnemonix found following.  COM and DCOM are where the major  holes
    in Windows  2000 are  going to  be found.   Here's an  example  on
    Windows 2000 Professional (Beta 3):

        Run regsvr32 /n /i:U shell32.dll

    This  registers  the  shell32.dll  -  but  also note it starts the
    MSInstaller Service (msiexec.exe).  regsrv32.exe loads msi.dll and
    msi.dll uses  COM to  COCreate[an]Instance() of  of the MSIServer.
    regsvr32.exe speaks to  the SCM (svchost.exe),  svchost.exe speaks
    to    services.exe    and    services.exe    starts    opens   the
    HKCR\AppID\{000C101...} key  and reads  in the  LocalService value
    of MSIServer, navigates to the

        HKLM\CurrentControlSet\Services\MSIServer

    key and starts the service's image file - msiexec.exe. By changing
    the LocalService value to Spooler running

        regsvr32 /n /i:U shell32.dll then starts

    the Spooler service.

    Problem 1)

      Power user has NTFS permissions by default to change spoolsv.exe

    Problem 2)

      Power user has the Set Value permission for the HKCR\AppID\{000C101...}
      registry key.

    Problem 1 + Problem 2 = Power User to Administrator

    Mnemonix didn't tested  this yet on  Server but oen  would imagine
    this would go for  the likes of Backup  and Server Operators.   He
    wrote (he wrote  1/10th and the  MFC wizard did  the rest) an  MFC
    app that will edit  the registry (changing MSIServer  to Spooler),
    call

        COleDispatchDriver cdd;
        cdd.CreateDispatch(_T("{000C101C-0000-0000-C000-000000000046}"));

    which starts the spooler service. Copying cmd.exe over spoolsv.exe
    and  running  the  program  drops  you  into a Command Prompt with
    system privileges.

    Talking  about  copying  cmd.exe  over  spoolsv.exe  - the Protect
    Storage service doesn't like it.   It'll pop up a window and  tell
    you to  set it  back.   Humour the  pop up  and click  on OK - see
    spoolsv.exe?  That's your cmd.exe disguised as spoolsv.exe - right
    click on it and  click on Open -  winlogon.exe opens it for  you -
    not on your desktop.   But who cares - just  overwrite spoolsv.exe
    with a program that'll do the dirty work for you.  If anyone wants
    a copy mail Mnemonix.

    Anyway - what about  the telnet service and  COM?  Well, that's  a
    another story.  A  few other things to  be fixed before the  Final
    Product comes out:

        Buffer overrun in regsvr32.exe
        run regsvr32 /n /i:U AAAAAAAAAAlots of AAAAAAs

    Wouldn't like to have  that in an INF  file.  There's also  buffer
    overrun in wscript.exe.   Should a non-power  user be able  to add
    another user account using the net user command?

    Clicking on Start -> Run Explorer  looks in the root of the  drive
    for the exe or  app for any command  run from here eg.  C:\ before
    checking the %systemroot% or %systemroot%\system32 directory.  Not
    good for trojans.

SOLUTION

    Nothing yet (it's beta3 - don't forget that).