[10764] in bugtraq
Bug in WTS 4.0 on WinNT 4.0 sp4
daemon@ATHENA.MIT.EDU (mRm3n4c3)
Wed Jun 9 14:56:26 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Message-Id: <199906090107040707.14CDF180@mailhost.cinet.no>
Date: Wed, 9 Jun 1999 01:07:04 +0200
Reply-To: mistr@marmelade.net
From: mRm3n4c3 <mistr@MARMELADE.NET>
To: BUGTRAQ@NETSPACE.ORG
I have recently encountered what i believe to be a bug in NT security when using
Windows Terminal Server 4.0 on NT 4.00.1381 (Service Pack 4).
The problem occured in an environment with 2 WTS servers using Metaframe and running a Loadbalancing
service, two file/ print servers also running Oracle databases and one name server set
to be PDC.
The users homedirectories containing WTS/ NT profiles are located on the PDC.
If you log on to the WTS and type the wrong password more than three times, the your
account gets locked out. BUT, if you choose to continu trying anyway, and after some
time manage to type in the correct password, the WTS will let you log on as an
'anonymous user' account, using either a locally stored profile or a default profile.
This beacause the PDC denies access to the homedir. The funny thing is, you have
no access to the PDC, which only replies with 'your account is locked out', but the WTS
ignores this and lets you browse the network, map up locally shared drives/ catalogues,
run command.com / cmd.exe or regedit/ regedt32. I have not found out what kind of
access th user hasat this point, but more than he/ she should anyways...
Now, the user in this example was set up like this in usermgr:
Homedir path \\nt40pdc\usernameshare$
No terminal homedir
Allow logon, no timeouts.
This means two severe problems:
If the users profile is unavailable for some reason, the user is logged on anyway.
The 'account locked out' function does not work on WTS
Well, this should be something to work on,
happy hunting!
(][mistr][)
(][there is no spoon][)
