COMMAND

    rollback.exe

SYSTEMS AFFECTED

    Win NT 3.5, 3.51, 4.0

PROBLEM

    The  following  text  represents  possible exploit of rollback.exe
    vulneravility. This idea is John Johnson credit. Basically if  you
    have a few open  ports on a NT  server (4.0) you can  plat it this
    way  usually  there  are  some  protected  ports (below 1024) open
    these you can use a tool Like port lock (Credits to The Hobbit  or
    thats where you can  get it) to lock  onto a port and  then useing
    either the  get.../../..   attack of  if port  19 is  open (useing
    linux you can open say 40,000 ports to it) use something like  the
    pounder attack on  it and crash  the machine now  if you have  the
    port lock  on it  will start  throwing rollback.exe  at the locked
    open port so upon  reboot (NT runs around  looking for exe's )  it
    accepts  this  rollback  play  and  opens  up  the registry to all
    comers  for  reseting  of  the  system  (rollback is allso used to
    recover lost administrator passwords).  Anyway, any  vulnerability
    that  alows  you  to  execute  programs  on NT machine and if this
    "utility" is executible for you, bye bye to your system.

    Be aware that there is  no recovery from the use  of rollback.exe.
    All Registry  entries added  by any  BackOffice server application
    [and  others]  are  removed  along  w/  all  security and accounts
    information.  Thus,  only a complete  backup immediately prior  to
    usage will recover the  installation. Data files are  intact along
    with file ACLs.

    ROLLBACK has no Help file, has  no cmd line help, and in  fact has
    no documentation of any kind on the CD, simply double-clicking  on
    the EXE or  giving the command  from the console  causes execution
    without any warning.  The next thing you know, you are staring  at
    the Setup screen and are completely down.

SOLUTION

    The only fix to this problem is to restore the entire system  from
    a current  tape back  up. Emergency  Repair Disk  does not restore
    the  system  as  it  requires  the Setup.log and specific registry
    components to be present.

    Protecting  yourself  against   a  trojan  program   --  such   as
    rollback.exe renamed to something else  -- is difficult to do.  In
    fact,  it  all  boils  down  to  common sense and judgement. Don't
    install software  that you  don't trust  completely. Any  intruder
    could easily disquise a package to  look as though it came from  a
    legitimate vendor, packing and all.  The only thing you can do  is
    to install the  software on a  system the "doesn't  matter" in the
    event that the software trashes the entire system.