search menu icon-carat-right cmu-wordmark

CERT Coordination Center

ScriptLogic RPC service allows local users to modify arbitrary registry settings

Vulnerability Note VU#609137

Original Release Date: 2003-04-30 | Last Revised: 2003-04-30

Overview

There is a vulnerability in version 4.01 of ScriptLogic that could allow local users to gain full access to the registry.

Description

The ScriptLogic product from ScriptLogic, Inc. provides remote system administration capabilities for Microsoft Windows systems in a domain. A vulnerability in version 4.01 of the ScriptLogic RPC service allows unauthorized end-users to obtain full access to their registry, regardless of security restrictions therein. According to ScriptLogic, "The ScriptLogic RPC service allows the client to request a registry modification from the SLRPC service running on the authenticating domain controller."

If the ScriptLogic client application is unable to set a registry setting on the end-user's workstation, it makes an RPC request to the ScriptLogic RPC service. This service then connects to the remote registry on the workstation, and sets the setting. It is only able to do so because it has administrative permissions on the workstation. However, version 4.01 of ScriptLogic, as tested by the CERT/CC, fails to prevent normal users from making requests supplied with registry configuration data of their own choosing. This flaw allows the unauthorized user to make changes to the registry that they would normally be prevented from making.

This vulnerability affects end-user systems running Microsoft Windows NT, Microsoft Windows 2000, and Microsoft Windows XP. Although the ScriptLogic software also runs on Microsoft Windows 95, Microsoft Windows 98, and Microsoft Windows Me, this vulnerability is irrelevant to systems running these versions of Windows. Since they do not feature distinct users and security contexts, access to a user account in the domain, which is a necessary precondition to exploitation of this vulnerability, is already tantamount to administrative access on these platforms. Furthermore, since the ScriptLogic RPC service is an optional component of the ScriptLogic system, sites that have not installed this service during the initial installation of the ScriptLogic software are not affected by this vulnerability.

The CERT/CC has verified the existence of this vulnerability in version 4.01 of the ScriptLogic software. Version 4.14 of the ScriptLogic software has been tested by the CERT/CC and shown not to contain the vulnerability. The ScriptLogic RPC service has been replaced in this version of the ScriptLogic software.

Impact

An unauthorized user can make arbitrary changes to the registry of the affected system. This level of access can easily be leveraged by an attacker to gain administrative privileges.

Solution

Upgrade to the latest version of the software

Version 4.14 of the ScriptLogic software has been tested by the CERT/CC and shown not to contain the vulnerability. Users of potentially vulnerable versions of the software are encouraged to upgrade to this version.

Vendor Information

609137
 

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This document was written by Chad R Dougherty. Technical assistance during testing was provided by Art Manion and Matt Lytle. The CERT/CC appreciates ScriptLogic, Inc.'s cooperation in providing an updated copy of the software for the purpose of vulnerability testing.

Other Information

CVE IDs: None
Severity Metric: 2.14
Date Public: 2003-04-30
Date First Published: 2003-04-30
Date Last Updated: 2003-04-30 20:10 UTC
Document Revision: 33

Sponsored by CISA.