COMMAND

    DCOM

SYSTEMS AFFECTED

    WinNT 4

PROBLEM

    Mnemonix found following.  By  using a combination of problems  it
    is  a  relatively   easy  matter  for   a  local  user   to   gain
    administrative rights  on a  Windows NT  4 Server  or Workstation,
    though this situation is easily rectifiable.

    1) The default configuration  permissions on Windows NT  allow the
       Interactive  User,  that  is  the  user currently logged on, to
       make modifications  to the  way a  DCOM server  should be  run.
       Basically  this  means  they  can  modify the subkeys under the
       HKCR\AppID  registry  key  where  information pertaining to the
       way these servers should be run is stored.  Choosing an example
       that'll  be  on  the  majority  of  machines  consider Wordpad.
       Wordpad is a registered DCOM server.  By navigating to the

        HKCR\AppID\{73FDDC80-AEA9-101A-98A7-00AA00374959}

    registry key and adding a new value, "LocalService", and supplying
    the name of a system service  a normal user will be able  to start
    (a service) one of their choosing.

    2) After an  install of certain  software by an  administrator new
       system services can be registered, but not necessarily  started
       automatically.  Added to this the NTFS rights on the  service's
       image  file  may  be  lax.   Consider  an  install  of Internet
       Explorer 5.   A system service,  the System Event  Notification
       service or SENS, is registered under the

        HKLM\CurrentControlSet\Services

    registry key but  is not started.   The default NTFS  rights allow
    Everybody to overwrite the file.

    Overwriting a service's image  file with an "exploit"  and getting
    it to run as  system is hardly brain  surgery, in so far  as using
    it in  a way  to leverage  more access  to a  system is  concerned
    anyway.  The problem lies in trying to get the service to run -  a
    normal user just can't open the Services Control Panel applet  and
    start  a  service.   Enter  DCOM  -  stage  right.  Using a simple
    VBScript in an HTML document, such as

        <SCRIPT LANGUAGE="VBScript">
        CreateObject("Wordpad.Document.1")
        </SCRIPT>

    an opening it  will cause the  browser request of  the COM Service
    Control Manager  (RPCSS.EXE) that  it start  the server  so it can
    create an instance of  the wordpad.document.1 class.   RPCSS looks
    at the

        HKCR\AppID\{73FDDC80-AEA9-101A-98A7-00AA00374959}

    key and decides  how to start  it.  Going  back to stage  1) above
    let's assume we supplied "SENS"  as the data for the  LocalService
    we added.  RPCSS will go ahead and start the SENS service  because
    the default launch  permissions allow the  Interactive User to  do
    so.  All that this takes is for one of the HKCR\AppID registry key
    to have the default permissions and  for a normal user to be  able
    to overwrite one  .exe or .dll  that a non-started  system service
    uses for an NT system to be vulnerable.

SOLUTION

    Needless to say  tightening the permissions  of the relevant  keys
    and files will resolve this problem.