Re: Microsoft Security Bulletin MS03-049 - Installation problems?

From: Chris Wysopal (weld_at_VULNWATCH.ORG)
Date: 11/13/03

  • Next message: Russ: "Re: Microsoft Security Bulletin MS03-049 - Installation problems?"
    Date:         Thu, 13 Nov 2003 18:01:30 +0000
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    @stake has a new tool available to turn Windows File Protection off
    dynamically without a reboot. This is is usefull for seeing what WFP is
    doing.

    WFPdisable is available here:
    http://www.atstake.com/research/tools/vulnerability_scanning/

    Cheers,

    Chris

    On Thu, 13 Nov 2003, BROWN Nick wrote:

    > I just did a check (on a machine with SP1 but no MS03-043 yet):
    >
    > cd \WINDOWS\SYSTEM32
    > dir WKSSVC.DLL DLLCACHE\WKSSVC.DLL
    > REM Above line shows two copies of the file, both 120,832 bytes
    >
    > REM Now let's replace WKSSVC.DLL. It's open, so we rename it out the way:
    > ren WKSSVC.DLL WKSSVC.DLX
    >
    > REM Replace it with a randomly chosen file (264,704 bytes):
    > copy WZCSVC.DLL WKSSVC.DLL
    >
    > REM Let's check (type quickly):
    > dir WKSSVC.DLL DLLCACHE\WKSSVC.DLL
    > REM Above line shows the one in SYSTEM32 is 264,704 bytes; the one in
    > DLLCACHE is still 120,832.
    >
    > REM Hold on, the disk is spinning. Must be WFP putting the DLLCACHE version
    > back.
    > dir WKSSVC.DLL DLLCACHE\WKSSVC.DLL
    > REM Guess what ? BOTH versions are 264,704 bytes.
    > REM In other words, WFP is effectively running *** the wrong way *** on this
    > file !!
    >
    > ---------------------------------------------------------------
    > |\ | o _ |/ Life's like a jigsaw
    > | \| | |_ |\ You get the straight bits
    > But there's something missing in the middle
    >
    > Nick Brown, Strasbourg, France (Nick(dot)Brown(at)coe(dot)int)
    > ---------------------------------------------------------------
    >
    > > -----Original Message-----
    > > From: Russ [mailto:Russ.Cooper@RC.ON.CA]
    > > Sent: Thursday 13 November 2003 18:09
    > > To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    > > Subject: Re: Microsoft Security Bulletin MS03-049 - Installation
    > > problems?
    > >
    > >
    > > Makoto Shiotsuki made a good catch and let me know about it.
    > > Seems that the pre-October 29th version of MS03-043 had one
    > > more problem that never got a mention anywhere (including
    > > Microsoft's revision statement.)
    > >
    > > The pre-October 29th version of MS03-043 didn't update the
    > > dllcache directory version of wkssvc.dll on Windows XP SP1
    > > systems (not sure about other OS'.) So although it did
    > > install the updated files in the system32 directory, only
    > > msgsvc.dll was updated in dllcache.
    > >
    > > This is the first time I'm aware of that Microsoft screwed up
    > > the list of files which Windows File Protection keeps an eye
    > > over. This must have happened otherwise WFP would have
    > > replaced the file in the system32 directory with the older
    > > version of wkssvc.dll right away (assuming WFP is enabled.)
    > > Clearly WFP seems to not care that the two files aren't the
    > > same, and that the updated version in the system32 directory
    > > is just fine, despite it not being the same as the one in the
    > > dllcache directory. Looks like WFP doesn't know how to check
    > > the consistency of the dllcache directory versions of files.
    > >
    > > This was fixed in the re-release of MS03-043 on October 29th,
    > > but since nobody needs to apply the updated version of the
    > > patch, according to Microsoft, and Windows Update doesn't
    > > re-offer it...there's a lot of people out there with a wrong
    > > version of wkssvc.dll in their dllcache directory. If for
    > > some reason the system32 copy of the wkssvc.dll file is
    > > altered, I'd be curious what WFP is going to do. It'll first
    > > copy the version from the dllcache, but since that version
    > > isn't correct, its either going to loop and do it over and
    > > over, or prompt for a copy from another source. I suspect it
    > > will loop, but I haven't tested this.
    > >
    > > I also haven't tested whether running the updated version of
    > > MS03-043 on a machine which already has it is going to
    > > actually run, I'd expect the patch installer to say its
    > > already applied (based on the presence of the registry key
    > > only) and abort. Likely you'll have to remove the 828035
    > > registry key first, then run the patch again, to get the
    > > dllcache updated. Simply copying the updated file into the
    > > dllcache may work also, since WFP believes that version to be
    > > the correct one, but again I haven't tried this either.
    > >
    > > Let me know your test results and I'll post the outcome when
    > > I have it.
    > >
    > > Bad Microsoft, Bad. Firstly, the 2.0 revision statement in
    > > MS03-043 should have mentioned all of the changes, not simply
    > > a reference to the update.exe issue. I can appreciate the
    > > embarrassment of having to tell people to re-apply a botched
    > > patch, and how that might not be necessary to simply fix the
    > > update.exe problem, but these other two issues (changing the
    > > version of the files, and fixing the WFP list and dllcache
    > > copy) are clearly good reason to re-apply. This definitely
    > > should have been called out so people could avoid the
    > > problems with their patch solutions, and, get WFP fixed up.
    > >
    > > If the revised version of the patch checked everything, and
    > > not just the registry key, it could determine those that
    > > installed the pre-October 29th version itself and re-apply
    > > where appropriate. Given the way its working, that's not
    > > happening, and people seem to have to take unorthodox actions
    > > themselves (or rely on their patch management application to
    > > do it for them.) Microsoft, this isn't helping.
    > >
    > > Cheers,
    > > Russ - NTBugtraq Editor
    > >
    > > ----
    > > NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
    > > code "NT1003" when registering to take the TICSA exam at
    > www.2test.com.
    > Prove to your employer and peers that you have the knowledge and
    > abilities to be an active stakeholder in today's enterprise security.
    > Become TICSA certified www.trusecure.com/ticsa. Promotion expires
    > 12/31/03 and cannot be used in combination with other offers.
    >
    > ----
    >
    > ----
    > NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
    > code "NT1003" when registering to take the TICSA exam at www.2test.com.
    > Prove to your employer and peers that you have the knowledge and
    > abilities to be an active stakeholder in today's enterprise security.
    > Become TICSA certified www.trusecure.com/ticsa. Promotion expires
    > 12/31/03 and cannot be used in combination with other offers.
    >
    > ----
    >

    ----
    NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
    code "NT1003" when registering to take the TICSA exam at www.2test.com.
    Prove to your employer and peers that you have the knowledge and
    abilities to be an active stakeholder in today's enterprise security.
    Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
    12/31/03 and cannot be used in combination with other offers.
    ----
    

  • Next message: Russ: "Re: Microsoft Security Bulletin MS03-049 - Installation problems?"

    Relevant Pages