COMMAND

    Run, RunOnce and Uninstall Registry Keys Vulnerability

SYSTEMS AFFECTED

    Win NT 3.5, 3.51, 4.0

PROBLEM

    A user with a  valid user name and  domain name, who also  has the
    right to log  on locally to  a Windows NT  computer, can have  the
    system  run  a  program  on  the  local  computer  in a heightened
    security  context.   Note  that  the  Guest  account does not have
    access to  modify the  registry.   By default,  Windows NT  domain
    controllers only  permit administrators  to log  on and  therefore
    are not vulnerable.  This was found by David LeBlanc.

    When a properly authenticated user logs on locally to a Windows NT
    computer, that user becomes a member of the "Everyone" group.  The
    default permission on  the keys cited  below allow members  of the
    "Everyone" group special access,  which includes the right  to Set
    Values or Create  Subkeys. This allows  members of the  "Everyone"
    group  to  create  an  entry  under  the Run and RunOnce keys that
    contains the name  of a program  to run when  the computer starts.
    The Uninstall key defines the  programs to run when you  remove an
    application.  So, let's see keys:

        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

    Because  there  is  a  potential  for  the  abuse of this level of
    rights, some organizations may  want to reset the  permissions, as
    described below in  the Solution section.   A user must  be logged
    on locally  in order  to change  these keys.  They can  be changed
    remotely by properly authenticated and privileged administrators.

    "You can add an executable in there and the system would run it on
    start-up,"  LeBlanc  said.  "That's  what  it's meant for, but the
    problem is that you could look at the permissions on that key, and
    it's giving full control to  everyone, and anyone could add  items
    in that.   You're supposed  to be  tweaking the  settings back  to
    where they really  should have been  in the first  place, but most
    people are not going to know this."

    "This  means  that  any  user  with  access  to that machine could
    install a program that runs when the computer starts up, and  this
    could allow somebody to install a Trojan horse," LeBlanc said.

SOLUTION

    Resetting the permissions for these three registry subkeys to READ
    resolves this issue.  Using Registry Editor incorrectly can  cause
    serious problems that may require you to reinstall your  operating
    system.  Use Registry Editor at your own risk.

    For information about how to edit the registry, view the "Changing
    Keys And Values"  Help topic in  Registry Editor (Regedit.exe)  or
    the  "Add  and  Delete  Information  in  the  Registry"  and "Edit
    Registry Data" Help topics in Regedt32.exe.

    Perform the following steps to reset the permissions:

        1. Run Registry Editor (Regedt32.exe).
        2. Perform the  following steps on  each of the  registry keys
           identified above:

           A. On the Security menu, click Permissions.
           B. Click "Replace Permissions on Existing Subkeys" so  that
              it is

                     selected.

           C. Click Everyone, change the  Type Of Access to Read,  and
              then click OK.

        3. Exit Registry Editor.