Software Engineering Institute

The ScriptLogic product from ScriptLogic, Inc. provides remote system administration capabilities for Microsoft Windows systems in a domain. A vulnerability in version 4.01 of the ScriptLogic RPC service allows unauthorized end-users to obtain full access to their registry, regardless of security restrictions therein. According to ScriptLogic, "The ScriptLogic RPC service allows the client to request a registry modification from the SLRPC service running on the authenticating domain controller."

If the ScriptLogic client application is unable to set a registry setting on the end-user's workstation, it makes an RPC request to the ScriptLogic RPC service. This service then connects to the remote registry on the workstation, and sets the setting. It is only able to do so because it has administrative permissions on the workstation. However, version 4.01 of ScriptLogic, as tested by the CERT/CC, fails to prevent normal users from making requests supplied with registry configuration data of their own choosing. This flaw allows the unauthorized user to make changes to the registry that they would normally be prevented from making.

This vulnerability affects end-user systems running Microsoft Windows NT, Microsoft Windows 2000, and Microsoft Windows XP. Although the ScriptLogic software also runs on Microsoft Windows 95, Microsoft Windows 98, and Microsoft Windows Me, this vulnerability is irrelevant to systems running these versions of Windows. Since they do not feature distinct users and security contexts, access to a user account in the domain, which is a necessary precondition to exploitation of this vulnerability, is already tantamount to administrative access on these platforms. Furthermore, since the ScriptLogic RPC service is an optional component of the ScriptLogic system, sites that have not installed this service during the initial installation of the ScriptLogic software are not affected by this vulnerability.

The CERT/CC has verified the existence of this vulnerability in version 4.01 of the ScriptLogic software. Version 4.14 of the ScriptLogic software has been tested by the CERT/CC and shown not to contain the vulnerability. The ScriptLogic RPC service has been replaced in this version of the ScriptLogic software.

An unauthorized user can make arbitrary changes to the registry of the affected system. This level of access can easily be leveraged by an attacker to gain administrative privileges.

Upgrade to the latest version of the software

Version 4.14 of the ScriptLogic software has been tested by the CERT/CC and shown not to contain the vulnerability. Users of potentially vulnerable versions of the software are encouraged to upgrade to this version.