Microsoft Windows SMB Registry : Winlogon Key Permission Weakness

2000-05-2900:00:00

www.tenable.com

The registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon is writeable by users who are not in the admin group.

This key contains a value which defines which program should be run when a user logs on.

As this program runs in the SYSTEM context, the users who have the right to change the value of this key can gain more privileges on this host.

#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
 script_id(10429);
 script_version("1.33");
 script_cvs_date("Date: 2018/08/03 11:35:08");
 script_cve_id("CVE-1999-0589");
 script_bugtraq_id(182);

 script_name(english:"Microsoft Windows SMB Registry : Winlogon Key Permission Weakness");
 script_summary(english:"Determines the access rights of a remote key");

 script_set_attribute(attribute:"synopsis", value:"Local users can gain SYSTEM privileges.");
 script_set_attribute(attribute:"description", value:
"The registry key HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon is writeable by users who are not in the
admin group.

This key contains a value which defines which program should be run
when a user logs on.

As this program runs in the SYSTEM context, the users who have the
right to change the value of this key can gain more privileges on this
host.");
 script_set_attribute(attribute:"solution", value:
"Use regedt32 and set the permissions of this key to :

- admin group  : Full Control
    - system	   : Full Control
    - everyone	   : Read");
 script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"plugin_publication_date", value:"2000/05/29");

script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows");
 script_dependencies("netbios_name_get.nasl", "smb_login.nasl", "smb_registry_access.nasl");
 script_require_keys("SMB/transport", "SMB/name", "SMB/login", "SMB/password", "SMB/registry_access");
 script_require_ports(139, 445);
 exit(0);
}

#

include("audit.inc");
include("smb_func.inc");

access = get_kb_item("SMB/registry_access");
if(!access)exit(0, "Registry not accessible.");

login	= kb_smb_login();
pass	= kb_smb_password();
domain  = kb_smb_domain();
port	= kb_smb_transport();

if(! smb_session_init()) audit(AUDIT_FN_FAIL, "smb_session_init");

r = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if ( r != 1 )
{
 NetUseDel();
 audit(AUDIT_SHARE_FAIL, "IPC$");
}

hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if ( isnull(hklm) )
{
 NetUseDel();
 audit(AUDIT_REG_FAIL);
}

key = "Software\Microsoft\Windows NT\CurrentVersion\Winlogon";

key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED | ACCESS_SYSTEM_SECURITY);
if(!isnull(key_h))
{
 rep = RegGetKeySecurity (handle:key_h, type: DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | OWNER_SECURITY_INFORMATION);
 if(!isnull(rep) && registry_key_writeable_by_non_admin(security_descriptor:rep))
 {
   security_hole (port);
 }
 RegCloseKey (handle:key_h);
}

RegCloseKey (handle:hklm);
NetUseDel();

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0589

JSON

Related for SMB_REG_WINLOGON_PERMISSIONS.NASL