COMMAND

    System DLLs

SYSTEMS AFFECTED

    Win NT 3.5, 3.51, 4.0

PROBLEM

    This vulnerability was originally presented on:

        www.ntshop.com/security

    and this text is their credit.

    System DLLs are called by  applications and the registry, and  can
    be  replaced  with  trojaned/virused  versions.  %systemroot%  and
    %systemroot%\system32  directories  have  default  permissions  of
    'Everyone' (includes guest) set to 'Change'. This allows DLLs  not
    in use to be replaced. DLLs in use are locked.

    DLLs  are  run  by  programs  at  various  levels  during   normal
    operation. A DLL for example can be run with SYSTEM privileges  by
    a service while a user with normal privileges is logged on.

    This  is  also  true  for  the  MSGINA.DLL,  which  is the default
    "Graphical  Identification  and  Authorization"  provider  for the
    local  console   logon,  which   if  replaced,   could   seriously
    compromise your entire enterprise.

SOLUTION

    Check/set  your  system  permissions,  don't  install new software
    using an account with any level of administrative privileges,  use
    SMS where possible, use a  registry monitor such as NTRegMon  when
    installing software, be leary of  using any third party Web  based
    executables including ISAPI .DLLs and Java, and test new things on
    isolated systems.