DATE: COMMAND SOURCE: AUTHOR: rollback.exe SYSTEMS AFFECTED Win NT 3.5, 3.51, 4.0 PROBLEM The following text represents possible exploit of rollback.exe vulneravility. The idea was John Johnson's. But the original text I received was virtually incomprehesible so I re-wrote it (note: I do not know if the text I have was from John or if someone else wrote it). If you have a few open ports on a NT server (4.0) you can exploit it this way. Usually there are some protected ports (below 1024). To open these you can use a tool Like port lock (Credits to The Hobbit) to lock onto a port. Once you have the port locked you must crash the machine. This can be done several ways depending on the patch level. If you have the port lock it will start throwing rollback.exe at the locked open port so upon reboot the server accepts this rollback play and resets the registry to the last known good configuration. (rollback is allso used to recover lost administrator passwords) Be aware that there is no recovery from the use of rollback.exe. All Registry entries added by any BackOffice server application [and others] are removed along w/ all security and accounts information. Thus, only a complete backup immediately prior to usage will recover the installation. Data files are intact along with file ACLs. ROLLBACK has no Help file, has no cmd line help, and in fact has no documentation of any kind on the CD, simply double-clicking on the EXE or giving the command from the console causes execution without any warning. The next thing you know, you are staring at the Setup screen and are completely down. EXPLOIT SOLUTION The only fix to this problem is to restore the entire system from a current tape back up. Emergency Repair Disk does not restore the system as it requires the Setup.log and specific registry components to be present. Protecting yourself against a trojan program -- such as rollback.exe renamed to something else -- is difficult to do. In fact, it all boils down to common sense and judgement. Don't install software that you don't trust completely. Any intruder could easily disquise a package to look as though it came from a legitimate vendor, packing and all. The only thing you can do is to install the software on a system the "doesn't matter" in the event that the software trashes the entire system.