Date: Tue, 25 May 1999 13:05:56 -0400 From: Russ <Russ.Cooper@RC.ON.CA> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Security Leak with IBM Netfinity Remote Control Software On May 10th, 1999, Thomas Krug reported to NTBugtraq; >Hi, > >I found a method to run programs like regedit and user manager with >admin right using the above tool. The following testscenario has >been used: > >PC with Windows NT Workstation in a Domain >Registry has been secured (especially HKLM) >The User has no local admin rights and is in no admin group. >The execution of regedit and regedt32 has been forbidden by system >policy. > >When running the Netfinity Client and starting the process manager >(view, close and execute processes) and run for instance >regedit.exe or musrmgr.exe the programs run under the user >configured with the netfinity service, either the system account >or an admin. > >Thomas After an incredibly difficult journey through the labyrinth of IBM's support groups, I finally spoke to a Ted McDaniels who, reportedly, was responsible for support of the IBM Netfinity RCS. After explaining Tom's issues with the product, Ted acknowledged that IBM Netfinity RCS was "built with very little security in mind". He also expressed doubt that any "fix" might be made to it to give it even the most rudimentary NT security understandings. IBM did promise to send some sort of explanation to NTBugtraq regarding Thomas' findings, however, Ted has now gone on vacation and we're left with nothing from them. Can you detect how disappointed I am with IBM's reaction and handling of this issue? Thomas' company was in the process of ripping out IBM Netfinity RCS when he originally submitted the issue, and all indications are that anyone using IBM Netfinity RCS, or considering using it, should do the same. Bottom line, there is no way to control what a user can or cannot do with the "Process Manager" component of IBM Netfinity RCS, and clearly they are able to usurp all other controls you might have placed on your NT environment should the product be present. The service *must* be run as either SYSTEM or ADMINISTRATOR. If anyone has found a way to avoid the *HUGE SECURITY HOLE* this product creates in an NT environment, please let us know. Cheers, Russ - NTBugtraq Editor -------------------------------------------------------------------------- Date: Wed, 9 Jun 1999 18:10:03 -0400 From: haith@US.IBM.COM To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: IBM's response to "Security Leak with IBM Netfinity Remote Control Software" We at IBM have assessed this posting and have identified a choice of actions that can be taken to avoid this scenario. Nonetheless, we believe it is in the best interest of our customers to provide a patch in the form of a single downloadable file to eliminate this problem. The patch will be made available in two weeks. In the interim, the following precautionary options can be taken to avoid the scenario described in your posting: * Set the NT file-level permission on the entire WNETFIN directory (use LIST) to prevent the local user from executing any of the Netfinity Manager Services locally. * Restrict access to Netfinity Manager Services such as Process Manager and Remote Session via Netfinity Security Manager. * Start the support program service within a userid that is not an administrator in order to provide the audit capability. * Install Netfinity Manager code on administrator machines only and Client Services for Netfinity Manager on the general user population, thus limiting ability to use Process Manager and Remote Session to the administrators. * Modify the INSTALL.INI to prevent Process Manager and Remote Session to be installed. Thanks again for bringing this information to our attention.