Vulnerabilities > CVE-2001-0045 - Unspecified vulnerability in Microsoft Windows NT 4.0/Terminalserver

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
microsoft
critical
nessus

Summary

The default permissions for the RAS Administration key in Windows NT 4.0 allows local users to execute arbitrary commands by changing the value to point to a malicious DLL, aka one of the "Registry Permissions" vulnerabilities.

Vulnerable Configurations

Part Description Count
OS
Microsoft
2

Nessus

NASL familyWindows
NASL idSMB_REG_RAS_ACCESS.NASL
descriptionThis script checks whether the following key can be modified by non-admins : HKLM\Software\Microsoft\Windows\RAS Write access to this key allows an unprivileged user to gain additional privileges.
last seen2020-06-01
modified2020-06-02
plugin id10567
published2000-12-08
reporterThis script is Copyright (C) 2000-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/10567
titleMicrosoft Windows SMB Registry : NT RAS Administration Registry Key Permission Weakness Local Privilege Escalation
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
 script_id(10567);
 script_version("1.39");
 script_cvs_date("Date: 2018/11/15 20:50:28");

 script_cve_id("CVE-2001-0045");
 script_bugtraq_id(2064);
 script_xref(name:"MSFT", value:"MS00-095");

 script_name(english:"Microsoft Windows SMB Registry : NT RAS Administration Registry Key Permission Weakness Local Privilege Escalation");
 script_summary(english:"Determines the access rights of a remote key");

 script_set_attribute(attribute:"synopsis", value:"Local users can gain additional privileges.");
 script_set_attribute(attribute:"description", value:
"This script checks whether the following key can be modified by
non-admins :

HKLM\Software\Microsoft\Windows\RAS

Write access to this key allows an unprivileged user to gain
additional privileges.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-095");
 script_set_attribute(attribute:"solution", value:
"Use regedt32 and set the permissions of this key to :

- admin group  : Full Control
    - system	   : Full Control
    - everyone	   : Read");
 script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date", value:"2000/12/06");
 script_set_attribute(attribute:"plugin_publication_date", value:"2000/12/08");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows");
 script_dependencies("netbios_name_get.nasl", "smb_login.nasl", "smb_registry_access.nasl");
 script_require_keys("SMB/transport", "SMB/name", "SMB/login", "SMB/password", "SMB/registry_access");
 script_require_ports(139, 445);
 exit(0);
}

#

include("audit.inc");
include("smb_func.inc");

access = get_kb_item("SMB/registry_access");
if(!access)exit(0, "Registry not accessible.");

login	= kb_smb_login();
pass	= kb_smb_password();
domain  = kb_smb_domain();
port	= kb_smb_transport();

if(! smb_session_init()) audit(AUDIT_FN_FAIL, "smb_session_init");

r = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if ( r != 1 )
{
 NetUseDel();
 audit(AUDIT_SHARE_FAIL, "IPC$");
}

hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if ( isnull(hklm) )
{
 NetUseDel();
 audit(AUDIT_REG_FAIL);
}

key = "SOFTWARE\Microsoft\Windows\RAS";

key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED | ACCESS_SYSTEM_SECURITY);
if(!isnull(key_h))
{
 rep = RegGetKeySecurity (handle:key_h, type: DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | OWNER_SECURITY_INFORMATION);
 if(!isnull(rep) && registry_key_writeable_by_non_admin(security_descriptor:rep))
 {
   security_warning(port);
 }
 RegCloseKey (handle:key_h);
}

RegCloseKey (handle:hklm);
NetUseDel();

Oval

accepted2008-03-24T04:00:38.358-04:00
classvulnerability
contributors
  • nameMatt Busby
    organizationThe MITRE Corporation
  • nameJonathan Baker
    organizationThe MITRE Corporation
definition_extensions
commentMicrosoft Windows NT is installed
ovaloval:org.mitre.oval:def:36
descriptionThe default permissions for the RAS Administration key in Windows NT 4.0 allows local users to execute arbitrary commands by changing the value to point to a malicious DLL, aka one of the "Registry Permissions" vulnerabilities.
familywindows
idoval:org.mitre.oval:def:500
statusaccepted
submitted2003-06-08T12:00:00.000-04:00
titleDefault Permissions on RAS Administration Key
version71