Date: Tue, 25 May 1999 13:05:56 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Security Leak with IBM Netfinity Remote Control Software

On May 10th, 1999, Thomas Krug reported to NTBugtraq;

>Hi,
>
>I found a method to run programs like regedit and user manager with
>admin right using the above tool. The following testscenario has
>been used:
>
>PC with Windows NT Workstation in a Domain
>Registry has been secured (especially HKLM)
>The User has no local admin rights and is in no admin group.
>The execution of regedit and regedt32 has been forbidden by system
>policy.
>
>When running the Netfinity Client and starting the process manager
>(view, close and execute processes) and run for instance
>regedit.exe or musrmgr.exe the programs run under the user
>configured with the netfinity service, either the system account
>or an admin.
>
>Thomas

After an incredibly difficult journey through the labyrinth of IBM's
support groups, I finally spoke to a Ted McDaniels who, reportedly, was
responsible for support of the IBM Netfinity RCS.

After explaining Tom's issues with the product, Ted acknowledged that
IBM Netfinity RCS was "built with very little security in mind". He also
expressed doubt that any "fix" might be made to it to give it even the
most rudimentary NT security understandings.

IBM did promise to send some sort of explanation to NTBugtraq regarding
Thomas' findings, however, Ted has now gone on vacation and we're left
with nothing from them.

Can you detect how disappointed I am with IBM's reaction and handling of
this issue?

Thomas' company was in the process of ripping out IBM Netfinity RCS when
he originally submitted the issue, and all indications are that anyone
using IBM Netfinity RCS, or considering using it, should do the same.

Bottom line, there is no way to control what a user can or cannot do
with the "Process Manager" component of IBM Netfinity RCS, and clearly
they are able to usurp all other controls you might have placed on your
NT environment should the product be present. The service *must* be run
as either SYSTEM or ADMINISTRATOR.

If anyone has found a way to avoid the *HUGE SECURITY HOLE* this product
creates in an NT environment, please let us know.

Cheers,
Russ - NTBugtraq Editor

--------------------------------------------------------------------------

Date: Wed, 9 Jun 1999 18:10:03 -0400
From: haith@US.IBM.COM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: IBM's response to "Security Leak with IBM Netfinity Remote Control Software"

We at IBM have assessed this posting and have identified a choice of actions
that can be taken to avoid this scenario.  Nonetheless, we believe it is in the
best interest of our customers to provide a patch in the form of a single
downloadable file to eliminate this problem.  The patch will be made available
in two weeks.

In the interim, the following precautionary options can be taken to avoid the
scenario described in your posting:

*    Set the NT file-level permission on the entire WNETFIN directory (use LIST)
 to prevent the local user from executing any of the Netfinity Manager Services
 locally.

*    Restrict access to Netfinity Manager Services such as Process Manager and
 Remote Session via Netfinity Security Manager.

*    Start the support program service within a userid that is not an
 administrator in order to provide the audit capability.

*    Install Netfinity Manager code on administrator machines only and Client
 Services for Netfinity Manager on the general user population, thus limiting
 ability to use Process Manager and Remote Session to the administrators.

*    Modify the INSTALL.INI to prevent Process Manager and Remote Session to be
 installed.

Thanks again for bringing this information to our attention.