search menu icon-carat-right cmu-wordmark

CERT Coordination Center

ScriptLogic RPC service allows local users to modify arbitrary registry settings

Vulnerability Note VU#609137

Original Release Date: 2003-04-30 | Last Revised: 2003-04-30

Overview

There is a vulnerability in version 4.01 of ScriptLogic that could allow local users to gain full access to the registry.

Description

The ScriptLogic product from ScriptLogic, Inc. provides remote system administration capabilities for Microsoft Windows systems in a domain. A vulnerability in version 4.01 of the ScriptLogic RPC service allows unauthorized end-users to obtain full access to their registry, regardless of security restrictions therein. According to ScriptLogic, "The ScriptLogic RPC service allows the client to request a registry modification from the SLRPC service running on the authenticating domain controller."

If the ScriptLogic client application is unable to set a registry setting on the end-user's workstation, it makes an RPC request to the ScriptLogic RPC service. This service then connects to the remote registry on the workstation, and sets the setting. It is only able to do so because it has administrative permissions on the workstation. However, version 4.01 of ScriptLogic, as tested by the CERT/CC, fails to prevent normal users from making requests supplied with registry configuration data of their own choosing. This flaw allows the unauthorized user to make changes to the registry that they would normally be prevented from making.

This vulnerability affects end-user systems running Microsoft Windows NT, Microsoft Windows 2000, and Microsoft Windows XP. Although the ScriptLogic software also runs on Microsoft Windows 95, Microsoft Windows 98, and Microsoft Windows Me, this vulnerability is irrelevant to systems running these versions of Windows. Since they do not feature distinct users and security contexts, access to a user account in the domain, which is a necessary precondition to exploitation of this vulnerability, is already tantamount to administrative access on these platforms. Furthermore, since the ScriptLogic RPC service is an optional component of the ScriptLogic system, sites that have not installed this service during the initial installation of the ScriptLogic software are not affected by this vulnerability.

The CERT/CC has verified the existence of this vulnerability in version 4.01 of the ScriptLogic software. Version 4.14 of the ScriptLogic software has been tested by the CERT/CC and shown not to contain the vulnerability. The ScriptLogic RPC service has been replaced in this version of the ScriptLogic software.

Impact

An unauthorized user can make arbitrary changes to the registry of the affected system. This level of access can easily be leveraged by an attacker to gain administrative privileges.

Solution

Upgrade to the latest version of the software

Version 4.14 of the ScriptLogic software has been tested by the CERT/CC and shown not to contain the vulnerability. Users of potentially vulnerable versions of the software are encouraged to upgrade to this version.

Vendor Information

609137
 

ScriptLogic Corporation Affected

Notified:  October 18, 2002 Updated: April 30, 2003

Status

Affected

Vendor Statement

ScriptLogic Corporation agrees with CERT’s assessment that version 4.14 of ScriptLogic does not contain this vulnerability. Additionally, ScriptLogic has never received any reports from customers regarding this vulnerability in any version of the software.

ScriptLogic encourages all customers to use the most current version of the software. The current version is available for download at the ScriptLogic web support center located at http://www.scriptlogic.com/support/scriptlogic/sl40/default.asp.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This document was written by Chad R Dougherty. Technical assistance during testing was provided by Art Manion and Matt Lytle. The CERT/CC appreciates ScriptLogic, Inc.'s cooperation in providing an updated copy of the software for the purpose of vulnerability testing.

Other Information

CVE IDs: None
Severity Metric: 2.14
Date Public: 2003-04-30
Date First Published: 2003-04-30
Date Last Updated: 2003-04-30 20:10 UTC
Document Revision: 33

Sponsored by CISA.