COMMAND
screen saver
SYSTEMS AFFECTED
WinNT
PROBLEM
Something like this was addressed before I beleive, but this
advisory covers much more. Will SP4 ban previous scr* attacks?
According to Mnemonix vulnerability with Logon Screensaver when
we replace scr with winlogon works, BUT whether the screen saver
disappears or not depends on the type of mouse used ie a PS/2
style mouse it works, a serial style it doesn't. Incidently, it
seems that a number of people have indepently reported this
problem over the years, but as it stands the default perms on
logon.scr don't give a normal user a chance to change it.
Fred Baumhardt added something new. Renaming the logon.scr with
a trojan program and logging out the machine will cause the system
to execute the program in the security context of the SYSTEM
right after 15 minutes has past (or how did you set up). Further
to all that has been said about the screensaver issue (see
previous advisories) there seems to be some confusion. There
IS an exploit of where an admin can rename the logon.scr in
system. That file will then run when no one is logged in under
the SYSTEM security context. Contrary to what other people have
posted this is a HUGE vulnerability. It is a back door, that is
difficult to detect. If you enter any program in place of the
logon.scr, it gets run, but it can't require any interaction on
the part of the user. People have reported using UserAdmin, but
that wont work as any mouse or keystroke will return the logon
box. Note: You can not replace the logon.scr with a batch file.
Although it is not a compromise bug, it is a "once hacked leave a
backdoor bug". As such it can not be dismissed.
So, lets say we have an administrator or someone who has ever
gained admin access to a machine. They rename the logon.scr, in
its place they put a compiled C++ program that calls the system()
function (which allows you to call any local command line
function). That lets say we add a couple of net user /add
commands which will create new users. Then we add those users to
the local server. Or we delete some kernel files, or any series
or compromises. Finally the program has a small routine that
checks to see if a file exists. (lets call it hack.now) if it
exists it will execute the exploits. Otherwise, it will just
call the renamed screen saver file. No administrator will ever
know. It is a sleeping timebomb. The second the attacker puts
the trigger file on the machine (or any other machine on the
network) the program will execute the next time the server is
logged out and goodbye server, DC or whatever. That sort of flaw
in the system design can be exploited infinitely by an intruder.
There has been many cases of getadmin or whatever working on a
machine. What matters is that a person that has compromised the
system can do so again, in a manner very difficult to trace, as
it has few symptoms. It doesn't require much imagination to come
up with severe exploits.
Here is a simplified exploit program in C++ , rename it and when
the logon executes the user will be added to the admin group
locally. You can run any dos command line command by putting it
in the system brackets.
#include <iostream.h>
#include <process.h>
void main()
{
system("net localgroup administrators /add domain\\attackerID");
}
SOLUTION
Recommendatiom is to use the innoculate features with AV software
the logon SCR files and detect for changes. Also SP4's SCE can be
of help.