Microsoft NT 4.0 OffloadModExpo Registry Permissions Vulnerability

Default registry permissions leave Microsoft NT 4.0 in a vulnerable state that would allow a local user to manipulate other users' cryptographic keys by creating and installing a DLL file, and specifying it as a hardware accelerator device driver in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Offload\ExpoOffload key.

Any CSP (Cryptographic Service Provider) that then checked this key would use the attacker's code to perform crypto calculations. That code could then copy of modify the resulting key.


 

Privacy Statement
Copyright 2010, SecurityFocus