[19264] in bugtraq
Re: AUTORUN Vul still work.
daemon@ATHENA.MIT.EDU (Nelson Brito)
Fri Feb 16 14:47:15 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-ID: <3A8C21F7.A3B40E3D@secunet.com.br>
Date: Thu, 15 Feb 2001 15:37:43 -0300
Reply-To: Nelson Brito <nelson@SECUNET.COM.BR>
From: Nelson Brito <nelson@SECUNET.COM.BR>
To: BUGTRAQ@SECURITYFOCUS.COM
"Jesper M. Johansson" wrote:
[...]
> That's not to say that this is not an issue. It is, and it has been known
> and discussed for at least two years. MS does not seem to consider it a real
> serious problem because "administrators should not be mapping shares that
Like I said, C$ em ADMIN$, by default instalation, is "write access" by
ordinary users.
So, think about this scenario:
1 - malicious user has placed both file(autorun2.exe and autorun.inf) on
the Server's C$;
2 - the dumb Admin will mount this share to do something *dumb*;
3 - so, the malicious user can do the dumb Admin execute the arbritary
code(?) as obscurity as possible.
4 - BINGO, the dumb Admin have added a new user or add the malicious
user to Administrators/Domain Admins's group.
Well, I can put a lot of other scenarios, but, is it necessary? I don't
think so.
When a malicious user realy want, he can do a lot of things to get Admin
access on Windows NT enviroment.
> ordinary users have write privilege to anyway." If that, rather
> unreasonable, assumption holds, then this is not a problem. In most cases,
> this is simply expected behavior, and it is up to us, as responsible admins,
> to work around it.
[...]
> Hive: HKLM if you want to apply it to all users on a system, HKCU if you
> only want to apply it to some users
> Key: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
> Value: NoDriveTypeAutoRun
> Data 0xFF
>
> Jesper M. Johansson
Like we can see at BID 993.
Sem mais,
--
Nelson Brito
"Windows NT can also be protected from nmap OS detection scans thanks
to *Nelson Brito* ..."
Trecho do livro "Hack Proofing your Network", página 93
