[10437] in bugtraq
Re: [FW: NT Security: Domain user adding self to Domain Admin
daemon@ATHENA.MIT.EDU (McKay)
Tue May 4 20:05:47 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Message-Id: <19990504160246.15682.qmail@ww156.netaddress.usa.net>
Date: Tue, 4 May 1999 11:02:46 CDT
Reply-To: McKay <seanmckay@NETSCAPE.NET>
From: McKay <seanmckay@NETSCAPE.NET>
X-To: gkalbfle <gkalbfle@CTC.CTC.EDU>
To: BUGTRAQ@NETSPACE.ORG
Gary, I also had problems with getting this to work.... Here is my setup I
tested against.
* NT 4.0 Server w/SP3 patch only applied.
* Various NT 4.0 Workstations with only SP3 or SP4 applied.
These were also all installed with Default Configurations. I changed nothing
from how it was installed.
Gary Kalbfleisch <gkalbfle@CTC.CTC.EDU> wrote:
> First I verified the various rights I thought would be involved. On the PDC
> the group Everyone has "Access this computer from Network". Rights to the
> Registry Key in question ( HKLM\SoftWare\Microsoft\Windows
> nt\CurrentVersion\ProfileList) are as follows; Administrators Full, System
> Full, and the problem child Everyone; Special Access = Query Value, Set
> Value, Create Subkey, Enumerate Subkeys, Notify & Read Control.
>
I verified the same type of permissions on the registry keys in particular.
> The problem occurred when I logged in as an ordinary Domain user. Using the
> exact same batch files I was able to read the data in the ProfileList Subkey
> and all its Subkeys but was not able to write the new values to that Key or
> any Subkeys. When I would run the Reg Update batch file the error message
> "access denied" was returned.
That is strange, when I ran reg.exe as a Domain User on the key in question, I
just got the "access denied" on both the query and the update :(
> The security breach I mentioned in the first paragraph is that any Domain
> user could use Reg Query to access information on any one including System
> Admins that have logged in locally on the PDC or possibly other domain
> computers.
I wasn't able to query any info from the registry in question as just a Domain
User :(
I did find one interesting "Feature" of reg.exe and regedt32.exe. Apparently
if you are logged in remotely to the PDC using a local account on a machine on
the Windows NT network and your local account happens to have the same
username and password as a domain account on the PDC, then you get the domain
account's rights regardless of your local rights. So if your local group has
User permissions only and the corresponding domain group has Administrators
rights, then you get to access the registry as if you were an Administrator.
McKay
____________________________________________________________________
Get your own FREE, personal Netscape WebMail account today at http://webmail.netscape.com.
