Re: Microsoft Security Bulletin MS03-049 - Installation problems?

From: Maxim S. Shatskih (maxim_at_STORAGECRAFT.COM)
Date: 11/16/03

  • Next message: clive_at_clara.net: "Problem when running script" 
    Date:         Sun, 16 Nov 2003 20:02:28 +0300
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

        The Q222473 knowledge base article documents the "SFCDisable" value.

        Set it to the undocumented value of (-100) decimal or 0xffffff9c - this
    will disable SFC completely, at least on w2k. A known fact in device driver
    development community.

    Maxim Shatskih, Windows DDK MVP
    StorageCraft Corporation
    maxim@storagecraft.com
    http://www.storagecraft.com

    ----- Original Message -----
    From: "Chris Wysopal" <weld@VULNWATCH.ORG>
    To: <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
    Sent: Thursday, November 13, 2003 9:01 PM
    Subject: Re: Microsoft Security Bulletin MS03-049 - Installation problems?

    > @stake has a new tool available to turn Windows File Protection off
    > dynamically without a reboot. This is is usefull for seeing what WFP is
    > doing.
    >
    > WFPdisable is available here:
    > http://www.atstake.com/research/tools/vulnerability_scanning/
    >
    > Cheers,
    >
    > Chris
    >
    > On Thu, 13 Nov 2003, BROWN Nick wrote:
    >
    > > I just did a check (on a machine with SP1 but no MS03-043 yet):
    > >
    > > cd \WINDOWS\SYSTEM32
    > > dir WKSSVC.DLL DLLCACHE\WKSSVC.DLL
    > > REM Above line shows two copies of the file, both 120,832 bytes
    > >
    > > REM Now let's replace WKSSVC.DLL. It's open, so we rename it out the way:
    > > ren WKSSVC.DLL WKSSVC.DLX
    > >
    > > REM Replace it with a randomly chosen file (264,704 bytes):
    > > copy WZCSVC.DLL WKSSVC.DLL
    > >
    > > REM Let's check (type quickly):
    > > dir WKSSVC.DLL DLLCACHE\WKSSVC.DLL
    > > REM Above line shows the one in SYSTEM32 is 264,704 bytes; the one in
    > > DLLCACHE is still 120,832.
    > >
    > > REM Hold on, the disk is spinning. Must be WFP putting the DLLCACHE
    version
    > > back.
    > > dir WKSSVC.DLL DLLCACHE\WKSSVC.DLL
    > > REM Guess what ? BOTH versions are 264,704 bytes.
    > > REM In other words, WFP is effectively running *** the wrong way *** on
    this
    > > file !!
    > >
    > > ---------------------------------------------------------------
    > > |\ | o _ |/ Life's like a jigsaw
    > > | \| | |_ |\ You get the straight bits
    > > But there's something missing in the middle
    > >
    > > Nick Brown, Strasbourg, France (Nick(dot)Brown(at)coe(dot)int)
    > > ---------------------------------------------------------------
    > >
    > > > -----Original Message-----
    > > > From: Russ [mailto:Russ.Cooper@RC.ON.CA]
    > > > Sent: Thursday 13 November 2003 18:09
    > > > To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    > > > Subject: Re: Microsoft Security Bulletin MS03-049 - Installation
    > > > problems?
    > > >
    > > >
    > > > Makoto Shiotsuki made a good catch and let me know about it.
    > > > Seems that the pre-October 29th version of MS03-043 had one
    > > > more problem that never got a mention anywhere (including
    > > > Microsoft's revision statement.)
    > > >
    > > > The pre-October 29th version of MS03-043 didn't update the
    > > > dllcache directory version of wkssvc.dll on Windows XP SP1
    > > > systems (not sure about other OS'.) So although it did
    > > > install the updated files in the system32 directory, only
    > > > msgsvc.dll was updated in dllcache.
    > > >
    > > > This is the first time I'm aware of that Microsoft screwed up
    > > > the list of files which Windows File Protection keeps an eye
    > > > over. This must have happened otherwise WFP would have
    > > > replaced the file in the system32 directory with the older
    > > > version of wkssvc.dll right away (assuming WFP is enabled.)
    > > > Clearly WFP seems to not care that the two files aren't the
    > > > same, and that the updated version in the system32 directory
    > > > is just fine, despite it not being the same as the one in the
    > > > dllcache directory. Looks like WFP doesn't know how to check
    > > > the consistency of the dllcache directory versions of files.
    > > >
    > > > This was fixed in the re-release of MS03-043 on October 29th,
    > > > but since nobody needs to apply the updated version of the
    > > > patch, according to Microsoft, and Windows Update doesn't
    > > > re-offer it...there's a lot of people out there with a wrong
    > > > version of wkssvc.dll in their dllcache directory. If for
    > > > some reason the system32 copy of the wkssvc.dll file is
    > > > altered, I'd be curious what WFP is going to do. It'll first
    > > > copy the version from the dllcache, but since that version
    > > > isn't correct, its either going to loop and do it over and
    > > > over, or prompt for a copy from another source. I suspect it
    > > > will loop, but I haven't tested this.
    > > >
    > > > I also haven't tested whether running the updated version of
    > > > MS03-043 on a machine which already has it is going to
    > > > actually run, I'd expect the patch installer to say its
    > > > already applied (based on the presence of the registry key
    > > > only) and abort. Likely you'll have to remove the 828035
    > > > registry key first, then run the patch again, to get the
    > > > dllcache updated. Simply copying the updated file into the
    > > > dllcache may work also, since WFP believes that version to be
    > > > the correct one, but again I haven't tried this either.
    > > >
    > > > Let me know your test results and I'll post the outcome when
    > > > I have it.
    > > >
    > > > Bad Microsoft, Bad. Firstly, the 2.0 revision statement in
    > > > MS03-043 should have mentioned all of the changes, not simply
    > > > a reference to the update.exe issue. I can appreciate the
    > > > embarrassment of having to tell people to re-apply a botched
    > > > patch, and how that might not be necessary to simply fix the
    > > > update.exe problem, but these other two issues (changing the
    > > > version of the files, and fixing the WFP list and dllcache
    > > > copy) are clearly good reason to re-apply. This definitely
    > > > should have been called out so people could avoid the
    > > > problems with their patch solutions, and, get WFP fixed up.
    > > >
    > > > If the revised version of the patch checked everything, and
    > > > not just the registry key, it could determine those that
    > > > installed the pre-October 29th version itself and re-apply
    > > > where appropriate. Given the way its working, that's not
    > > > happening, and people seem to have to take unorthodox actions
    > > > themselves (or rely on their patch management application to
    > > > do it for them.) Microsoft, this isn't helping.
    > > >
    > > > Cheers,
    > > > Russ - NTBugtraq Editor
    > > >
    > > > ----
    > > > NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
    > > > code "NT1003" when registering to take the TICSA exam at
    > > www.2test.com.
    > > Prove to your employer and peers that you have the knowledge and
    > > abilities to be an active stakeholder in today's enterprise security.
    > > Become TICSA certified www.trusecure.com/ticsa. Promotion expires
    > > 12/31/03 and cannot be used in combination with other offers.
    > >
    > > ----
    > >
    > > ----
    > > NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
    > > code "NT1003" when registering to take the TICSA exam at www.2test.com.
    > > Prove to your employer and peers that you have the knowledge and
    > > abilities to be an active stakeholder in today's enterprise security.
    > > Become TICSA certified www.trusecure.com/ticsa. Promotion expires
    > > 12/31/03 and cannot be used in combination with other offers.
    > >
    > > ----
    > >
    >
    > ----
    > NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
    > code "NT1003" when registering to take the TICSA exam at www.2test.com.
    > Prove to your employer and peers that you have the knowledge and
    > abilities to be an active stakeholder in today's enterprise security.
    > Become TICSA certified www.trusecure.com/ticsa. Promotion expires
    > 12/31/03 and cannot be used in combination with other offers.
    >
    > ----

    -----
    Marcus Ranum's new book "The Myth of Homeland Security" is now out and
    is available from http://www.amazon.com/ranum In this hard-hitting
    review of the homeland security business, Ranum shows us how the problem
    is vastly harder than it's being made to sound, and how special
    interests, *** covering, and bureaucracy are threatening to derail any
    chance of making progress.
    -----

  • Next message: clive_at_clara.net: "Problem when running script"
    • Quantcast