Date: Tue, 25 May 1999 13:05:56 -0400 From: Russ To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Security Leak with IBM Netfinity Remote Control Software On May 10th, 1999, Thomas Krug reported to NTBugtraq; >Hi, > >I found a method to run programs like regedit and user manager with >admin right using the above tool. The following testscenario has >been used: > >PC with Windows NT Workstation in a Domain >Registry has been secured (especially HKLM) >The User has no local admin rights and is in no admin group. >The execution of regedit and regedt32 has been forbidden by system >policy. > >When running the Netfinity Client and starting the process manager >(view, close and execute processes) and run for instance >regedit.exe or musrmgr.exe the programs run under the user >configured with the netfinity service, either the system account >or an admin. > >Thomas After an incredibly difficult journey through the labyrinth of IBM's support groups, I finally spoke to a Ted McDaniels who, reportedly, was responsible for support of the IBM Netfinity RCS. After explaining Tom's issues with the product, Ted acknowledged that IBM Netfinity RCS was "built with very little security in mind". He also expressed doubt that any "fix" might be made to it to give it even the most rudimentary NT security understandings. IBM did promise to send some sort of explanation to NTBugtraq regarding Thomas' findings, however, Ted has now gone on vacation and we're left with nothing from them. Can you detect how disappointed I am with IBM's reaction and handling of this issue? Thomas' company was in the process of ripping out IBM Netfinity RCS when he originally submitted the issue, and all indications are that anyone using IBM Netfinity RCS, or considering using it, should do the same. Bottom line, there is no way to control what a user can or cannot do with the "Process Manager" component of IBM Netfinity RCS, and clearly they are able to usurp all other controls you might have placed on your NT environment should the product be present. The service *must* be run as either SYSTEM or ADMINISTRATOR. If anyone has found a way to avoid the *HUGE SECURITY HOLE* this product creates in an NT environment, please let us know. Cheers, Russ - NTBugtraq Editor