[ SOURCE: http://www.secureroot.com/security/advisories/9768315761.html ]

Title: Microsoft Windows NT 4.0 MTS Package Administration Registry
Key Vulnerability
BID: 2065
Published: December 06, 2000
Vulnerable: Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Server
Microsoft Windows NT 4.0 Server, Enterprise Edition
Microsoft Windows NT 4.0 Server, Terminal Server Edition

Discussion:

Microsoft Transaction Server (MTS) is the mechanism used by Microsoft Windows
NT to handle transactions or MTS packages which are series of software modules
that form a transaction.

The registry key in Windows NT 4.0 that handles the administration of
Microsoft Transaction Server (MTS) is not properly configured to deny write
access to unprivileged users. Modification rights on this particular registry
should only be reserved for administrators. However, any user that is able to
log onto a system with MTS installed is able to alter the values for the MTS
registry key and its subkeys located at
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Transaction Server\Packages.

Among the information stored in the MTS registry key is the list of MTS
managers for each MTS package. A malicious users can reconfigure or add new
MTS packages to the system by adding his userid to the list of managers
of the System Package by modifying values in the MTS registry key.

While adding new MTS packages to be executed under the context of a
different account requires the account password and thus a malicious
user would have to known the password to execute a new package under
a context other than his own, the malicious user could modify an existing
MTS package to perform unauthorized actions.

The registry key could be modified remotely if the Winreg key was enabled to
allow remote access to the registry (Winreg is enabled by default).

MTS is not installed by default on Windows NT 4.0. MTS is part of
the Windows NT 4.0 Option Pack.

Solution:

Microsoft has released the following tool which corrects the registry key
value (this tool also corrects the registry values for other vulnerabilities
discussed in Microsoft Security Bulletin MS00-095). Please see Frequently
Asked Questions (Microsoft Security Bulletin MS00-095) under "Credit" for
details in regards to proper usage of the tool:

Microsoft patch Q265714i
http://download.microsoft.com/download/winntsp/Patch/Q266794/NT4/EN-US/Q265714i.EXE
Intel

Credit:

Discovered by Glenn Larsson and publicized in a Microsoft Security Bulletin
(MS00-095) on December 6, 2000

Reference:

http://www.securityfocus.com/bid/2065
http://www.microsoft.com/technet/security/bulletin/ms00-095.asp
http://www.microsoft.com/technet/security/bulletin/fq00-095.asp
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum