Manualshelf

Specifications

ManualsBrandsCayman Systems ManualsComputer equipment3220-H
11121314151617181920
SAFER – Vol. 3, Issue 6 20 © 2000 The Relay Group
Microsoft Windows 2000 Default SYSKEY Configuration Vulnerability
Released May 11, 2000
Affects Microsoft Windows NT 2000
Reference http://www.securityfocus.com/bid/1198
Problem
- The default configuration of SYSKEY allows any local user to decrypt data encrypted with the
Encrypted File System (EFS).
- A known vulnerability exists in Windows 2000 where the SAM database can be deleted if the
system is booted with a different operating system. Upon reboot, a new SAM database is created
with the Administrator account having a blank password. A malicious user can now login as
Administrator and decrypt data if the recovery key resides on the system.
- The default mode SYSKEY operates in is to 'Store Startup Key Locally'. Under this mode,
Windows 2000 will generate a random 128-bit system key and store it in the registry under
HKLM/SYSTEM. Running SYSKEY in this mode will leave the system vulnerable to the exploit
mentioned above.
- In addition, a tool called 'ntpasswd' is available which can reset the password of any local user
account, including the administrator account, by modifying password hashes in the SAM database.
A local user can use this tool to login as Administrator (who is the default data recovery agent in
the EFS) and from there, decrypt data using the EFS.
- Domain-based accounts are not affected by this vulnerability.
SAFER
- Configure SYSKEY to operate in either 'Use a Passphrase to Unlock the System Key' or 'Store
Startup Key on Floppy Disk' mode. However, this does not address an attack using the ntpasswd
tool.
Zedz Consultants ssh-1.2.27-8i.src.rpm Access Verification Vulnerability
Released May 10, 2000
Affects Zedz Consultants ssh-1.2.27-8i.src.rpm 1.2.27-8i
Reference http://www.securityfocus.com/bid/1189
Problem
- A flaw exists in the RedHat Linux RPM distributed by Zedz Consulting, version 1.2.27-8i. Due to a
flaw in authentication due to a patch to support PAM, its possible for anyone to log in to any valid
account via ssh.
- This is NOT a flaw in ssh, or sshd, but rather in the patch applied in the RPM distributed. Users of
SSH 1.2.27 or OpenSSH are not vulnerable to this. Only those who installed this specific RPM
from the Zedz Consulting ftp site are susceptible.
SAFER
- Uninstall the rpm, and install a non-susceptible package.
Netscape Communicator /tmp Symlink Vulnerability
Released May 10, 2000
Affects Netscape Communicator 4.5 up to 4.73
Reference http://www.securityfocus.com/bid/1201
Problem
- Netscape Communicator version 4.73 and prior may be susceptible to a /tmp file race condition
when importing certificates. Netscape creates a /tmp file which is world readable and writable in
/tmp, without calling stat() or fstat() on the file. As such, it is possible, should a user be able to
predict the file name, to cause a symbolic link to be created, and followed elsewhere on the file
system.
- Additionally, as the file is created mode 666 prior to being fchmod()'d to 600, there may be a
window of opportunity for altering the contents of this file.
SAFER
- This issue has only been demonstrated on the Linux binary, for glibc. The sparc Solaris binary
does not behave this way.