RE: VU#197477/Registry permission vulnerability

Thu, 14 Dec 2000 22:43:46 -0800 

It hasn't been addressed in either the original or tridia releases as far as
I am aware.

I have a little addennum that I have tested on my Win2K box that resets the
permissions upon server/service start, I should really get around to
contributing that code for WinVNC. I no longer have NT 4.0 around to test
with, so I am willing to give the code/binaries to anyone running NT 4.0 to
see if it fixes this problem. I'm working with the tridia source code base,
but it's easily backportable to the original 3.3.3r7 source base.

However, the install files (which are not anywhere I can find) are the best
place to correctly set registry permissions in the first instance. Does
anyone have access to these? I have InstallShield for VisualC++ 6, so I can
recompile the installer once I have a look at the install source, assuming
that winvnc uses InstallShield (it certainly smells like an IS install to
me).

Andrew

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Shawn Hernan
Sent: Friday, 15 December 2000 10:57
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: VU#197477/Registry permission vulnerability


Hello,

I searched the archies and FAQ, but was unable to determine if a
vulnerability
reported on BugTraq last month had been addressed (or indeed, if anyone was
aware of it). The issue I'm referring to is documented at

http://www.securityfous.com/bid/1961

I'd appreciate it if someone could kindly verify the report, and let me know
if any fixes are planned (even though the practical impact is small, since
any
recent system will have applied the registry permission patch).

If there's anything we can do to assist, please let us know.

Thanks,
Shawn
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------

Reply via email to