Microsoft NT 4.0 OffloadModExpo Registry Permissions Vulnerability
BID:1105
Info
Microsoft NT 4.0 OffloadModExpo Registry Permissions Vulnerability
| Bugtraq ID: | 1105 |
| Class: | Configuration Error |
| CVE: |
CVE-2000-0259 |
| Remote: | No |
| Local: | Yes |
| Published: | Apr 12 2000 12:00AM |
| Updated: | Jul 11 2009 01:56AM |
| Credit: | Discovered by Sergio Tabanelli and Banca Nazionale del Lavoro and publicized in a Microsoft Security Bulletin (MS00-024) on April 12, 2000. |
| Vulnerable: |
Microsoft Windows NT Terminal Server 4.0 alpha Microsoft Windows NT Terminal Server 4.0 Microsoft Windows NT 4.0 alpha Microsoft Windows NT 4.0 |
| Not Vulnerable: | |
Discussion
Microsoft NT 4.0 OffloadModExpo Registry Permissions Vulnerability
Default registry permissions leave Microsoft NT 4.0 in a vulnerable state that would allow a local user to manipulate other users' cryptographic keys by creating and installing a DLL file, and specifying it as a hardware accelerator device driver in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Offload\ExpoOffload key.
Any CSP (Cryptographic Service Provider) that then checked this key would use the attacker's code to perform crypto calculations. That code could then copy of modify the resulting key.
Default registry permissions leave Microsoft NT 4.0 in a vulnerable state that would allow a local user to manipulate other users' cryptographic keys by creating and installing a DLL file, and specifying it as a hardware accelerator device driver in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Offload\ExpoOffload key.
Any CSP (Cryptographic Service Provider) that then checked this key would use the attacker's code to perform crypto calculations. That code could then copy of modify the resulting key.
Exploit / POC
Microsoft NT 4.0 OffloadModExpo Registry Permissions Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
Microsoft NT 4.0 OffloadModExpo Registry Permissions Vulnerability
Solution:
Microsoft has released a tool which addresses this vulnerability:
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT 4.0
Microsoft Windows NT Terminal Server 4.0 alpha
Microsoft Windows NT 4.0 alpha
Solution:
Microsoft has released a tool which addresses this vulnerability:
Microsoft Windows NT Terminal Server 4.0
-
Microsoft Q259496
http://download.microsoft.com/download/winntsp/Patch/Q259496/NT4/EN-US /Q259496i.exe
Microsoft Windows NT 4.0
-
Microsoft Q259496
http://download.microsoft.com/download/winntsp/Patch/Q259496/NT4/EN-US /Q259496i.exe
Microsoft Windows NT Terminal Server 4.0 alpha
-
Microsoft Q259496
http://download.microsoft.com/download/winntsp/Patch/Q259496/ALPHA/EN- US/Q259496a.exe
Microsoft Windows NT 4.0 alpha
References
Microsoft NT 4.0 OffloadModExpo Registry Permissions Vulnerability
References:
References: