ibm.netfinity.rcs.nt.txt

`Date: Tue, 25 May 1999 13:05:56 -0400  
From: Russ <[email protected]>  
To: [email protected]  
Subject: Security Leak with IBM Netfinity Remote Control Software  
  
On May 10th, 1999, Thomas Krug reported to NTBugtraq;  
  
>Hi,  
>  
>I found a method to run programs like regedit and user manager with  
>admin right using the above tool. The following testscenario has  
>been used:  
>  
>PC with Windows NT Workstation in a Domain  
>Registry has been secured (especially HKLM)  
>The User has no local admin rights and is in no admin group.  
>The execution of regedit and regedt32 has been forbidden by system  
>policy.  
>  
>When running the Netfinity Client and starting the process manager  
>(view, close and execute processes) and run for instance  
>regedit.exe or musrmgr.exe the programs run under the user  
>configured with the netfinity service, either the system account  
>or an admin.  
>  
>Thomas  
  
After an incredibly difficult journey through the labyrinth of IBM's  
support groups, I finally spoke to a Ted McDaniels who, reportedly, was  
responsible for support of the IBM Netfinity RCS.  
  
After explaining Tom's issues with the product, Ted acknowledged that  
IBM Netfinity RCS was "built with very little security in mind". He also  
expressed doubt that any "fix" might be made to it to give it even the  
most rudimentary NT security understandings.  
  
IBM did promise to send some sort of explanation to NTBugtraq regarding  
Thomas' findings, however, Ted has now gone on vacation and we're left  
with nothing from them.  
  
Can you detect how disappointed I am with IBM's reaction and handling of  
this issue?  
  
Thomas' company was in the process of ripping out IBM Netfinity RCS when  
he originally submitted the issue, and all indications are that anyone  
using IBM Netfinity RCS, or considering using it, should do the same.  
  
Bottom line, there is no way to control what a user can or cannot do  
with the "Process Manager" component of IBM Netfinity RCS, and clearly  
they are able to usurp all other controls you might have placed on your  
NT environment should the product be present. The service *must* be run  
as either SYSTEM or ADMINISTRATOR.  
  
If anyone has found a way to avoid the *HUGE SECURITY HOLE* this product  
creates in an NT environment, please let us know.  
  
Cheers,  
Russ - NTBugtraq Editor  
  
--------------------------------------------------------------------------  
  
Date: Wed, 9 Jun 1999 18:10:03 -0400  
From: [email protected]  
To: [email protected]  
Subject: IBM's response to "Security Leak with IBM Netfinity Remote Control Software"  
  
We at IBM have assessed this posting and have identified a choice of actions  
that can be taken to avoid this scenario. Nonetheless, we believe it is in the  
best interest of our customers to provide a patch in the form of a single  
downloadable file to eliminate this problem. The patch will be made available  
in two weeks.  
  
In the interim, the following precautionary options can be taken to avoid the  
scenario described in your posting:  
  
* Set the NT file-level permission on the entire WNETFIN directory (use LIST)  
to prevent the local user from executing any of the Netfinity Manager Services  
locally.  
  
* Restrict access to Netfinity Manager Services such as Process Manager and  
Remote Session via Netfinity Security Manager.  
  
* Start the support program service within a userid that is not an  
administrator in order to provide the audit capability.  
  
* Install Netfinity Manager code on administrator machines only and Client  
Services for Netfinity Manager on the general user population, thus limiting  
ability to use Process Manager and Remote Session to the administrators.  
  
* Modify the INSTALL.INI to prevent Process Manager and Remote Session to be  
installed.  
  
Thanks again for bringing this information to our attention.  
  
`