COMMAND
Microsoft Transaction Server (MTS)
SYSTEMS AFFECTED
WinNT 4.0 (all versions)
PROBLEM
Discovered by Glenn Larsson and publicized in a Microsoft Security
Bulletin (MS00-095). Microsoft Transaction Server (MTS) is the
mechanism used by Microsoft Windows NT to handle transactions or
MTS packages which are series of software modules that form a
transaction.
The registry key in Windows NT 4.0 that handles the administration
of Microsoft Transaction Server (MTS) is not properly configured
to deny write access to unprivileged users. Modification rights
on this particular registry should only be reserved for
administrators. However, any user that is able to log onto a
system with MTS installed is able to alter the values for the MTS
registry key and its subkeys located at
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Transaction Server\Packages.
Among the information stored in the MTS registry key is the list
of MTS managers for each MTS package. A malicious users can
reconfigure or add new MTS packages to the system by adding his
userid to the list of managers of the System Package by modifying
values in the MTS registry key.
While adding new MTS packages to be executed under the context of
a different account requires the account password and thus a
malicious user would have to known the password to execute a new
package under a context other than his own, the malicious user
could modify an existing MTS package to perform unauthorized
actions.
The registry key could be modified remotely if the Winreg key was
enabled to allow remote access to the registry (Winreg is enabled
by default). MTS is not installed by default on Windows NT 4.0.
MTS is part of the Windows NT 4.0 Option Pack.
SOLUTION
Microsoft has released the following tool which corrects the
registry key value (this tool also corrects the registry values
for other vulnerabilities discussed in Microsoft Security
Bulletin MS00-095). Microsoft patch Q265714i:
http://download.microsoft.com/download/winntsp/Patch/Q266794/NT4/EN-US/Q265714i.EXEIntel