[THIN] Re: Question on exploit

• From: <Dave.Boatman@xxxxxxxxxxxxxx>
• To: <thin@xxxxxxxxxxxxx>
• Date: Fri, 31 Jan 2003 15:15:51 -0000

Oh and by the way......

The remote connection to the server can be from any workstation.

i.e.=20

1. Some nasty user opens the msgina.dll
2. Some innocent user wants to do some work via terminal server / citrix

3. The innocent user clicks the "user Interface Failure" message relating to
xxxGINA.DLL

4. The server reboots.


Dave Boatman=20


-----Original Message-----
From: Dave Boatman=20
Sent: 31 January 2003 14:12
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Question on exploit


I've tried this and indeed it does cause the server to reboot. You don't
even have to have a valid login ID.=3D20

Also this exploit will kill your citrix servers as well..=3D20

1. open msgina.dll
2. open a desktop connection (ICA) to the server

3. <snip>
Click the nice, helpful "Restart" button in the warning dialog that   =3D3D
appears ("msgina.dll failed to load")=3D3D20
</snip>
i.e. the error message above is for the ctxgina.dll=3D20

4. Sit there with your head in your hands and say "oh dear"


HTH.

Dave Boatman=3D20

-----Original Message-----
From: Giuseppe Bredariol [mailto:gbr@xxxxxxxxx]=3D20
Sent: 31 January 2003 08:16
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Question on exploit


Hi Folks,

I receive via SANS org this alert. Did someone know about the following =3D=
3D
problem ?

Thanks in advance

Giuseppe






Description=3D3D20
-----------=3D3D20


Any user with sufficient permission to log on to a Windows 2000 Terminal =
=3D3D
Server (via RDP or ICA) and access its filesystem can reboot the server =3D=
3D
at will.=3D3D20



Exploit=3D3D20
-------=3D3D20


- Open %SYSTEMROOT%\SYSTEM32\MSGINA.DLL for exclusive access (read =3D3D
lock).=3D3D20
  use of Radsoft's HEXVIEW.EXE from Rix2K to do this.=3D3D20


- Open a new connection to the server via RDP/ICA=3D3D20


- Click the nice, helpful "Restart" button in the warning dialog that   =3D=
3D
appears ("msgina.dll failed to load")=3D3D20


Tested on Windows 2000 Server (IE55, SP2) and Windows 2000 Server (IE55, =
=3D3D
SP3). I do not have easy access to other platforms at the moment.=3D3D20



Workaround=3D3D20
----------=3D3D20


- Remove all permissions from MSGINA.DLL for "Power Users", "Users" and  =
=3D3D
 "Everyone"=3D3D20


Note: The above workaround has been tested on Windows 2000 Server (IE55, =
=3D3D
SP2) and users were still able to log in as normal. I am not aware of a =3D=
3D
need for MSGINA.DLL to be accessible by normal users, but if there are =3D3D
any such circumstances Microsoft will need to produce an alternative =3D3D
fix.=3D3D20



CONFIDENTIALITY NOTICE
This communication and the information it contains is intended for the pers=
on or organisation to whom it is addressed.  Its contents are confidential =
and may be protected in law.  Unauthorised use, copying or disclosure of an=
y of it may be unlawful.  If you are not the intended recipient, please con=
tact us immediately.

The contents of any attachments in this e-mail may contain software viruses=
, which could damage your own computer system.  While Marlborough Stirling =
has taken every reasonable precaution to minimise this risk, we cannot acce=
pt liability for any damage which you sustain as a result of software virus=
es.  You should carry out your own virus checking procedure before opening =
any attachment.

Marlborough Stirling plc, Registered No. 3008820,
Allen Jones House, Jessop Avenue, Cheltenham, Gloucestershire, GL50 3SH
Tel: 01242 547000     Fax: 01242 547100
<http://www.marlborough-stirling.com>
<http://www.exchange.co.uk>

The following companies are subsidiaries of Marlborough Stirling plc and ar=
e registered in England and Wales at the above address:
The Marlborough Stirling Group PLC, Registered No. 1855353
Marlborough Stirling Administration Limited, Registered No. 2341195
Exchange FS Group plc, Registered No. 3760381
Exchange FS Limited, Registered No. 2596452
Crisp Computing Limited, Registered No. 1547979


________________________________________________________________________
This=20email=20has=20been=20scanned=20for=20all=20viruses=20by=20the=20Mes=
sageLabs=20SkyScan
service.=20For=20more=20information=20on=20a=20proactive=20anti-virus=20se=
rvice=20working
around=20the=20clock,=20around=20the=20globe,=20visit=20http://www.message=
labs.com
________________________________________________________________________
***************************************************************************
This Week's Sponsor: New Wyse(R) Expedian(TM)software maximizes your server 
capacity--cost-effectively. Now you can dramatically increase the number of 
users on a server by as much as 40%--and reduce the number of servers you have 
to manage. By optimizing memory usage, Wyse Expedian software allows the 
terminal server to support more applications and more concurrentusers. Download 
your 30-day free trial today at:
http://www.wyse.com/expedian/eval.cfm?promo=US-Ad-0103TheThinNetNewsletterEM
****************************************************************************


For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Other related posts:

• » [THIN] Question on exploit
• » [THIN] Re: Question on exploit
• » [THIN] Re: Question on exploit

1. Home
2. thin
3. Archive
4. 01-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---