[THIN] Question on exploit

• From: "Giuseppe Bredariol" <gbr@xxxxxxxxx>
• To: <thin@xxxxxxxxxxxxx>
• Date: Fri, 31 Jan 2003 09:16:00 +0100

Hi Folks,

I receive via SANS org this alert. Did someone know about the following =
problem ?

Thanks in advance

Giuseppe






Description=20
-----------=20


Any user with sufficient permission to log on to a Windows 2000 Terminal =
Server (via RDP or ICA) and access its filesystem can reboot the server =
at will.=20



Exploit=20
-------=20


- Open %SYSTEMROOT%\SYSTEM32\MSGINA.DLL for exclusive access (read =
lock).=20
  use of Radsoft's HEXVIEW.EXE from Rix2K to do this.=20


- Open a new connection to the server via RDP/ICA=20


- Click the nice, helpful "Restart" button in the warning dialog that   =
appears ("msgina.dll failed to load")=20


Tested on Windows 2000 Server (IE55, SP2) and Windows 2000 Server (IE55, =
SP3). I do not have easy access to other platforms at the moment.=20



Workaround=20
----------=20


- Remove all permissions from MSGINA.DLL for "Power Users", "Users" and  =
 "Everyone"=20


Note: The above workaround has been tested on Windows 2000 Server (IE55, =
SP2) and users were still able to log in as normal. I am not aware of a =
need for MSGINA.DLL to be accessible by normal users, but if there are =
any such circumstances Microsoft will need to produce an alternative =
fix.=20






***************************************************************************
This Week's Sponsor: New Wyse(R) Expedian(TM)software maximizes your server 
capacity--cost-effectively. Now you can dramatically increase the number of 
users on a server by as much as 40%--and reduce the number of servers you have 
to manage. By optimizing memory usage, Wyse Expedian software allows the 
terminal server to support more applications and more concurrentusers. Download 
your 30-day free trial today at:
http://www.wyse.com/expedian/eval.cfm?promo=US-Ad-0103TheThinNetNewsletterEM
****************************************************************************


For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Other related posts:

• » [THIN] Question on exploit
• » [THIN] Re: Question on exploit
• » [THIN] Re: Question on exploit

1. Home
2. thin
3. Archive
4. 01-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---