Oh and by the way...... The remote connection to the server can be from any workstation. i.e.=20 1. Some nasty user opens the msgina.dll 2. Some innocent user wants to do some work via terminal server / citrix 3. The innocent user clicks the "user Interface Failure" message relating to xxxGINA.DLL 4. The server reboots. Dave Boatman=20 -----Original Message----- From: Dave Boatman=20 Sent: 31 January 2003 14:12 To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Question on exploit I've tried this and indeed it does cause the server to reboot. You don't even have to have a valid login ID.=3D20 Also this exploit will kill your citrix servers as well..=3D20 1. open msgina.dll 2. open a desktop connection (ICA) to the server 3. <snip> Click the nice, helpful "Restart" button in the warning dialog that =3D3D appears ("msgina.dll failed to load")=3D3D20 </snip> i.e. the error message above is for the ctxgina.dll=3D20 4. Sit there with your head in your hands and say "oh dear" HTH. Dave Boatman=3D20 -----Original Message----- From: Giuseppe Bredariol [mailto:gbr@xxxxxxxxx]=3D20 Sent: 31 January 2003 08:16 To: thin@xxxxxxxxxxxxx Subject: [THIN] Question on exploit Hi Folks, I receive via SANS org this alert. Did someone know about the following =3D= 3D problem ? Thanks in advance Giuseppe Description=3D3D20 -----------=3D3D20 Any user with sufficient permission to log on to a Windows 2000 Terminal = =3D3D Server (via RDP or ICA) and access its filesystem can reboot the server =3D= 3D at will.=3D3D20 Exploit=3D3D20 -------=3D3D20 - Open %SYSTEMROOT%\SYSTEM32\MSGINA.DLL for exclusive access (read =3D3D lock).=3D3D20 use of Radsoft's HEXVIEW.EXE from Rix2K to do this.=3D3D20 - Open a new connection to the server via RDP/ICA=3D3D20 - Click the nice, helpful "Restart" button in the warning dialog that =3D= 3D appears ("msgina.dll failed to load")=3D3D20 Tested on Windows 2000 Server (IE55, SP2) and Windows 2000 Server (IE55, = =3D3D SP3). I do not have easy access to other platforms at the moment.=3D3D20 Workaround=3D3D20 ----------=3D3D20 - Remove all permissions from MSGINA.DLL for "Power Users", "Users" and = =3D3D "Everyone"=3D3D20 Note: The above workaround has been tested on Windows 2000 Server (IE55, = =3D3D SP2) and users were still able to log in as normal. I am not aware of a =3D= 3D need for MSGINA.DLL to be accessible by normal users, but if there are =3D3D any such circumstances Microsoft will need to produce an alternative =3D3D fix.=3D3D20 CONFIDENTIALITY NOTICE This communication and the information it contains is intended for the pers= on or organisation to whom it is addressed. Its contents are confidential = and may be protected in law. Unauthorised use, copying or disclosure of an= y of it may be unlawful. If you are not the intended recipient, please con= tact us immediately. The contents of any attachments in this e-mail may contain software viruses= , which could damage your own computer system. While Marlborough Stirling = has taken every reasonable precaution to minimise this risk, we cannot acce= pt liability for any damage which you sustain as a result of software virus= es. You should carry out your own virus checking procedure before opening = any attachment. Marlborough Stirling plc, Registered No. 3008820, Allen Jones House, Jessop Avenue, Cheltenham, Gloucestershire, GL50 3SH Tel: 01242 547000 Fax: 01242 547100 <http://www.marlborough-stirling.com> <http://www.exchange.co.uk> The following companies are subsidiaries of Marlborough Stirling plc and ar= e registered in England and Wales at the above address: The Marlborough Stirling Group PLC, Registered No. 1855353 Marlborough Stirling Administration Limited, Registered No. 2341195 Exchange FS Group plc, Registered No. 3760381 Exchange FS Limited, Registered No. 2596452 Crisp Computing Limited, Registered No. 1547979 ________________________________________________________________________ This=20email=20has=20been=20scanned=20for=20all=20viruses=20by=20the=20Mes= sageLabs=20SkyScan service.=20For=20more=20information=20on=20a=20proactive=20anti-virus=20se= rvice=20working around=20the=20clock,=20around=20the=20globe,=20visit=20http://www.message= labs.com ________________________________________________________________________ *************************************************************************** This Week's Sponsor: New Wyse(R) Expedian(TM)software maximizes your server capacity--cost-effectively. Now you can dramatically increase the number of users on a server by as much as 40%--and reduce the number of servers you have to manage. By optimizing memory usage, Wyse Expedian software allows the terminal server to support more applications and more concurrentusers. Download your 30-day free trial today at: http://www.wyse.com/expedian/eval.cfm?promo=US-Ad-0103TheThinNetNewsletterEM **************************************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm