[THIN] Re: Question on exploit

• From: <Dave.Boatman@xxxxxxxxxxxxxx>
• To: <thin@xxxxxxxxxxxxx>
• Date: Fri, 31 Jan 2003 14:12:03 -0000

I've tried this and indeed it does cause the server to reboot. You don't
even have to have a valid login ID.=20

Also this exploit will kill your citrix servers as well..=20

1. open msgina.dll
2. open a desktop connection (ICA) to the server

3. <snip>
Click the nice, helpful "Restart" button in the warning dialog that   =3D
appears ("msgina.dll failed to load")=3D20
</snip>
i.e. the error message above is for the ctxgina.dll=20

4. Sit there with your head in your hands and say "oh dear"


HTH.

Dave Boatman=20

-----Original Message-----
From: Giuseppe Bredariol [mailto:gbr@xxxxxxxxx]=20
Sent: 31 January 2003 08:16
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Question on exploit


Hi Folks,

I receive via SANS org this alert. Did someone know about the following =3D
problem ?

Thanks in advance

Giuseppe






Description=3D20
-----------=3D20


Any user with sufficient permission to log on to a Windows 2000 Terminal =3D
Server (via RDP or ICA) and access its filesystem can reboot the server =3D
at will.=3D20



Exploit=3D20
-------=3D20


- Open %SYSTEMROOT%\SYSTEM32\MSGINA.DLL for exclusive access (read =3D
lock).=3D20
  use of Radsoft's HEXVIEW.EXE from Rix2K to do this.=3D20


- Open a new connection to the server via RDP/ICA=3D20


- Click the nice, helpful "Restart" button in the warning dialog that   =3D
appears ("msgina.dll failed to load")=3D20


Tested on Windows 2000 Server (IE55, SP2) and Windows 2000 Server (IE55, =3D
SP3). I do not have easy access to other platforms at the moment.=3D20



Workaround=3D20
----------=3D20


- Remove all permissions from MSGINA.DLL for "Power Users", "Users" and  =3D
 "Everyone"=3D20


Note: The above workaround has been tested on Windows 2000 Server (IE55, =3D
SP2) and users were still able to log in as normal. I am not aware of a =3D
need for MSGINA.DLL to be accessible by normal users, but if there are =3D
any such circumstances Microsoft will need to produce an alternative =3D
fix.=3D20






***************************************************************************
This Week's Sponsor: New Wyse(R) Expedian(TM)software maximizes your server
capacity--cost-effectively. Now you can dramatically increase the number of
users on a server by as much as 40%--and reduce the number of servers you
have to manage. By optimizing memory usage, Wyse Expedian software allows
the terminal server to support more applications and more concurrentusers.
Download your 30-day free trial today at:
http://www.wyse.com/expedian/eval.cfm?promo=3DUS-Ad-0103TheThinNetNewslette=
rEM
****************************************************************************


For Archives, to Unsubscribe, Subscribe or=20
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm


CONFIDENTIALITY NOTICE
This communication and the information it contains is intended for the pers=
on or organisation to whom it is addressed.  Its contents are confidential =
and may be protected in law.  Unauthorised use, copying or disclosure of an=
y of it may be unlawful.  If you are not the intended recipient, please con=
tact us immediately.

The contents of any attachments in this e-mail may contain software viruses=
, which could damage your own computer system.  While Marlborough Stirling =
has taken every reasonable precaution to minimise this risk, we cannot acce=
pt liability for any damage which you sustain as a result of software virus=
es.  You should carry out your own virus checking procedure before opening =
any attachment.

Marlborough Stirling plc, Registered No. 3008820,
Allen Jones House, Jessop Avenue, Cheltenham, Gloucestershire, GL50 3SH
Tel: 01242 547000     Fax: 01242 547100
<http://www.marlborough-stirling.com>
<http://www.exchange.co.uk>

The following companies are subsidiaries of Marlborough Stirling plc and ar=
e registered in England and Wales at the above address:
The Marlborough Stirling Group PLC, Registered No. 1855353
Marlborough Stirling Administration Limited, Registered No. 2341195
Exchange FS Group plc, Registered No. 3760381
Exchange FS Limited, Registered No. 2596452
Crisp Computing Limited, Registered No. 1547979


________________________________________________________________________
This=20email=20has=20been=20scanned=20for=20all=20viruses=20by=20the=20Mes=
sageLabs=20SkyScan
service.=20For=20more=20information=20on=20a=20proactive=20anti-virus=20se=
rvice=20working
around=20the=20clock,=20around=20the=20globe,=20visit=20http://www.message=
labs.com
________________________________________________________________________
***************************************************************************
This Week's Sponsor: New Wyse(R) Expedian(TM)software maximizes your server 
capacity--cost-effectively. Now you can dramatically increase the number of 
users on a server by as much as 40%--and reduce the number of servers you have 
to manage. By optimizing memory usage, Wyse Expedian software allows the 
terminal server to support more applications and more concurrentusers. Download 
your 30-day free trial today at:
http://www.wyse.com/expedian/eval.cfm?promo=US-Ad-0103TheThinNetNewsletterEM
****************************************************************************


For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Other related posts:

• » [THIN] Question on exploit
• » [THIN] Re: Question on exploit
• » [THIN] Re: Question on exploit

1. Home
2. thin
3. Archive
4. 01-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---