There are two ways to do the fix, one is to change the current
::RegCreateKey() to ::RegCreateKeyEx(), which contains the additional
security thing, which is the meat of my previous effort.
Or as I saw your point about too tight permissions, I have been working on
finding out if we are running on Windows NT (or later) and use
::LsaRetrievePrivateData() and ::LsaStorePrivateData() in
vncProperties::LoadPassword and its mate. As the Lsa stuff got out of hand,
I've created a new helper class, vncLsa, which does all the dirty work. It
has a few downsides right now; on a NT 4.0 cluster, the wrong computer name
will be given, and LsaStorePrivateData will stash the data in the active
node, not necessarily the computer it runs on. I'm concerned that the
platform sdk you need to compile this on will be very recent, and I can't
see a way for this to compile on Win9x without breaking the NT service (the
tchar/wchar thing). Compiling the other way will work.
I've almost got this approach working in my own mind. I've included my most
recent files to show you where I am going. Any help appreciated. :-)
LsaRetrievePrivateData() is nice; it only allows the creator or the
Administrator to retrieve or set a value. This doesn't protect you
completely, but using the object key L$VncPassword, it will prevent most
forms of remote attack. It doesn't fix the underlying problem (reverisable
encryption), nor traceability/auditability, nor multiple users, but it does
improve the levels of local obfuscation.
http://msdn.microsoft.com/library/psdk/lsapol/lsapol_7tk1.htm
Andrew
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of James ''Wez''
Weatherall
Sent: Friday, 15 December 2000 22:29
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: VU#197477/Registry permission vulnerability
> It hasn't been addressed in either the original or tridia releases as far
as
> I am aware.
>
> I have a little addennum that I have tested on my Win2K box that resets
the
> permissions upon server/service start, I should really get around to
> contributing that code for WinVNC. I no longer have NT 4.0 around to test
> with, so I am willing to give the code/binaries to anyone running NT 4.0
to
> see if it fixes this problem. I'm working with the tridia source code
base,
> but it's easily backportable to the original 3.3.3r7 source base.
If you have any example code that sets the appropriate permission then I'll
happily take a look with a view to including it.
> However, the install files (which are not anywhere I can find) are the
best
> place to correctly set registry permissions in the first instance. Does
> anyone have access to these? I have InstallShield for VisualC++ 6, so I
can
> recompile the installer once I have a look at the install source, assuming
> that winvnc uses InstallShield (it certainly smells like an IS install to
> me).
If you "correct" the registry permissions during install then WinVNC won't
operate correctly as an application, since it won't have permission to read
the password part of the local machine registry. Setting the permissions
during -install is probably the best compromise, although it's not clear
whether the registry should be reverted during -remove.
Cheers,
James "Wez" Weatherall
--
"The path to enlightenment is /usr/bin/enlightenment"
Laboratory for Communications Engineering, Cambridge - Tel : 766513
AT&T Labs Cambridge, UK - Tel : 343000
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
[demime 0.97b removed an attachment of type application/x-zip-compressed which had a
name of donotuseyet.zip]
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
