Re: Multiple Weaknesses in St Bernard's UpdateExpert 5.1

From: John Duddy (JDuddy@STBERNARD.COM)
Date: 04/15/02 

Date:         Mon, 15 Apr 2002 13:45:57 -0700
From: John Duddy <JDuddy@STBERNARD.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

No, Russ - we're not just waiting to see if these keys are a part of the
next big attack. Nor do I want to tip our hand to the Windows Corporate
Update team about our upcoming plans. Despite having a premier support
contract with Microsoft, we find out about their new initiatives the same
way everyone else does. So we had no choice to go it on our own. We have,
and the world will hear about it soon. And then Windows Corporate Update
will be to UpdateEXPERT what hfnetchk is to UpdateEXPERT now - an
alternative that firmly falls into the "You get what you pay for" category.

As you pointed out, as Principal Engineer I should have [and did] raise this
and many other issues in the past. Now we're addressing them. Completely and
decisively. But I am not at liberty to discuss future product feature lists
with you or anyone else not on NDA, and certainly not the world community
via your newsgroup. Just let me say this: it is our intention to resolve all
these issues and more in the next release.

Thank you -

John Duddy
Principal Engineer
St. Bernard Software

-----Original Message-----
From: Russ [mailto:Russ.Cooper@rc.on.ca]
Sent: Monday, April 15, 2002 1:18 PM
To: John Duddy; NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: RE: Multiple Weaknesses in St Bernard's UpdateExpert 5.1

John Duddy, Principal Engineer at St. Bernard Software said;

"As far as I know, there is no way to manipulate the values you mention
without being an Administrator. If one of your administrators deletes
these values, you will indeed have the symptoms you mentioned. However,
letting someone like that have administrative rights on your machine is
the source of the error."

Well, actually this isn't true, but it's a common premise though. I
pointed out in my message that the keys used are write-restricted to
Administrators/System, but I purposefully avoid what so many have been
saying...namely that those keys are a prime target.

Too many things rely upon the integrity of these keys and not on other,
additional or autonomous, sources. HFNetchk is a noteworthy alternative
because it uses its own checksums against the files themselves and
doesn't give a hoot what's in those keys.

I can manipulate these keys as System. Nimda was System. Code Red was
System. Some exploits do run as System.

I'm not arguing against the stance, "but hey, if I can get something to
exploit as System then all bets are off!". Yup, that's definitely true,
if something runs as System then all bets are definitely off. What's at
issue here (something I didn't want to state explicitly but Ragnarok
pointed out clearly) is that if something should run on your machine
you'd likely apply a patch to correct it...no? People applied a patch to
eliminate Code Red, Nimda, and so many others.

Ah, but what happens if the effects of "whatever" also muck about wit
this registry data? What do you do to check the integrity of the
registry if the tools you are using aren't able to do that on their own?
Remove all of the registry keys for all patches and re-apply all
patches???

UpdateExpert, like Windows Update, is unable to independently verify
what its looking at and whether a system is or isn't at a given patch
level. It only works as long as the system hasn't been tampered with.
That's a problem, and no, the problem's not isolated to rogue
Administrators.

Surely as the Principal Engineer you must have raised this issue several
times in the past internally. I can now state with certainty that many
security experts expect these keys to be part of the next big attack.
Are you just waiting to see if we're right or not?

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

Relevant Pages

  • Re: Non admin users cant do things they need to do
    ... i added the keys below to the registry (as administrator) logged off, ... can set the time then they can fake out system event logs by changing ...
    (microsoft.public.windowsxp.embedded)
  • Re: Non admin users cant do things they need to do
    ... You mean they are along with the registry entires? ... i added the keys below to the registry (as administrator) logged off, ... can set the time then they can fake out system event logs by changing ...
    (microsoft.public.windowsxp.embedded)
  • Re: A basic cryptanalysis question
    ... >> appear out of his attack, he assumes he's recovered the plaintext. ... >include the keys in your construction. ... such a function look at my second order bijective compression of english ...
    (sci.crypt)
  • Re: 0x80070005 / _Inventory: Installer returned 0x5 (5)
    ... Are you the Administrator? ... Access Denied is a hard one to determine where the keys are failing - ... Use an account that has administrative credentials to log on to the Windows XP ... Navigate to the following key in the registry: ...
    (microsoft.public.windowsupdate)
  • RE: TaskManager
    ... with that account and see if you have access to registry and task manager. ... Im not seeing those keys in the system32 ... click on it says registry is disabled by the administrator.. ... these 2 keys contain all the group policies changes applied by ...
    (microsoft.public.windowsxp.general)