COMMAND

    RAS

SYSTEMS AFFECTED

    WinNT 4.0, TS

PROBLEM

    Following has been discovered by  Milan Dadok and publicized in  a
    Microsoft Security Bulletin MS00-095.  The registry key in Windows
    NT 4.0 that  handles the administration  of Remote Access  Service
    (RAS) third-party tools is  not properly configured to  deny write
    access to unprivileged users.   Such lenient permissions  assigned
    to this particular  registry key would  allow any user  that could
    log on locally to a system  with a RAS server installed to  modify
    the  value  of  the  key  to  an  arbitrary DLL file that would be
    executed upon startup of RAS. The  DLL in the RAS registry key  is
    run under LocalSystem privileges.   Therefore, the malicious  user
    would  be  able  to  perform  any  action  under  the  LocalSystem
    security context  which would  basically yield  full control  over
    the  local  machine.   The  location  of  the  RAS registry key is
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAS.

    This vulnerability could be  exploited remotely if the  Winreg key
    was enabled  to allow  remote access  to the  registry (Winreg  is
    enabled by default).

    RAS is not installed by default on Windows NT 4.0.

SOLUTION

    Microsoft  has  released  the  following  tool  which corrects the
    registry key value  (this tool also  corrects the registry  values
    for  other   vulnerabilities  discussed   in  Microsoft   Security
    Bulletin MS00-095).  Microsoft patch Q265714i:

        http://download.microsoft.com/download/winntsp/Patch/Q266794/NT4/EN-US/Q265714i.EXEIntel