DATE:  
COMMAND                                            SOURCE: 
                                                   AUTHOR: 
  DLLs


SYSTEMS AFFECTED

  Win NT 3.5, 3.51, 4.0

  

PROBLEM


    This vulnerability was originally presented on:



        www.ntshop.com/security



    and this text is their credit.



    System DLLs are called by  applications and the registry, and  can

    be  replaced  with  trojaned/virused  versions.  %systemroot%  and

    %systemroot%\system32  directories  have  default  permissions  of

    'Everyone' (includes guest) set to 'Change'. This allows DLLs  not

    in use to be replaced. DLLs in use are locked.



    DLLs  are  run  by  programs  at  various  levels  during   normal

    operation. A DLL for example can be run with SYSTEM privileges  by

    a service while a user with normal privileges is logged on.



    This  is  also  true  for  the  MSGINA.DLL,  which  is the default

    "Graphical  Identification  and  Authorization"  provider  for the

    local  console   logon,  which   if  replaced,   could   seriously

    compromise your entire enterprise.



   good measure of common sense and diligence. Some things you can do are

   to set your file permissions accordingly,





EXPLOIT

  

SOLUTION


    Check/set  your  system  permissions,  don't  install new software

    using an account with any level of administrative privileges,  use

    SMS where possible, use a  registry monitor such as NTRegMon  when

    installing software, be leary of  using any third party Web  based

    executables including ISAPI .DLLs and Java, and test new things on

    isolated systems.