DATE:  
COMMAND                                            SOURCE: 
                                                   AUTHOR: 
  rollback.exe

SYSTEMS AFFECTED

  Win NT 3.5, 3.51, 4.0
  

PROBLEM


    The  following  text  represents  possible exploit of rollback.exe
    vulneravility. The idea was John Johnson's. But the original text
    I received was virtually incomprehesible so I re-wrote it (note:
    I do not know if the text I have was from John or if someone else
    wrote it).

    If you have a few open ports on a NT server (4.0) you can exploit
    it this way. 

    Usually  there  are  some  protected  ports (below 1024). To open 
    these you can use a tool Like port lock (Credits to The Hobbit) 
    to lock onto a port.

    Once you have the port locked you must crash the machine. This can 
    be done several ways depending on the patch level. If you have the
    port lock it  will start throwing rollback.exe  at the locked open 
    port so upon reboot the  server accepts this  rollback  play  and 
    resets the registry to the last known good configuration.
    (rollback is allso used to recover lost administrator passwords)

    Be aware that there is  no recovery from the use  of rollback.exe.
    All Registry  entries added  by any  BackOffice server application
    [and  others]  are  removed  along  w/  all  security and accounts
    information.  Thus,  only a complete  backup immediately prior  to
    usage will recover the  installation. Data files are  intact along
    with file ACLs.

    ROLLBACK has no Help file, has  no cmd line help, and in  fact has
    no documentation of any kind on the CD, simply double-clicking  on
    the EXE or  giving the command  from the console  causes execution
    without any warning.  The next thing you know, you are staring  at
    the Setup screen and are completely down.



EXPLOIT

  

SOLUTION


    The only fix to this problem is to restore the entire system  from
    a current  tape back  up. Emergency  Repair Disk  does not restore
    the  system  as  it  requires  the Setup.log and specific registry
    components to be present.

    Protecting  yourself  against   a  trojan  program   --  such   as
    rollback.exe renamed to something else  -- is difficult to do.  In
    fact,  it  all  boils  down  to  common sense and judgement. Don't
    install software  that you  don't trust  completely. Any  intruder
    could easily disquise a package to  look as though it came from  a
    legitimate vendor, packing and all.  The only thing you can do  is
    to install the  software on a  system the "doesn't  matter" in the
    event that the software trashes the entire system.