[16594] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Microsoft NT "un-removable user" Vulnerability.

daemon@ATHENA.MIT.EDU (Steve)
Wed Sep 6 00:38:46 2000

Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id:  <NDBBKBPDOHLBFCALJJOOMEBBCNAA.steve@securesolutions.org>
Date:         Tue, 5 Sep 2000 20:07:39 -0600
Reply-To: Steve <steve@SECURESOLUTIONS.ORG>
From: Steve <steve@SECURESOLUTIONS.ORG>
X-To:         johnl@clearoption.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <NEBBJGMGPMHBNOKCDLALIEFICAAA.lists@darkcore.net>

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Microsoft NT un-removable user Vulnerability.
> >
> Vulnerable: Tested on NT4 SP4. All version of NT are thought to be
> vulnerable.

Could not reproduce at SP6a.


> A vulnerability exists in the Microsoft Windows NT operating
> system in which
> a userid can be added which conations special characters which
> are normally
> not allowed. These special userids can not be removed using the
> normal user
> management interface as supplied from Microsoft.

What custom User Manager are you using.  The normal interface
provided does not allow this, nor do a few of the more popular
add-ins to NT.


> The problem exists because the integrity checking on the userIDs
> occurs at the GUI level and not on the system itself.

I agree that this *COULD* be an issue but not a likely one.

> Exploit:
> A malicious user can create a user with special characters (e.g.
>  testuser;) using a custom user management interface which does
> not perform validation checks on the userid. It then can not be
> removed using the standard WindowsNT user management interface.

Yes, but a simple net user ~testuser;") /delete will take care of
this.

> This could be a significant problem if the user was maliciously
> added into the Administrators group. A system scrub or another
> custom user management interface would be the only way to remove
> the user.

Incorrect.  Net user /delete works just fine.

> Credit: This vulnerability was discovered by Jeff Also while
> developing a web based User Management interface.

> Reported:
> ---------
> I advised Microsoft Security about this on 28 Aug 2000. They
> responded that
> since they had no custom user management tools, they could not test
> this vulnerability.

I fail to see how this is a vulnerability.  If a malicious user
already has "rooted" the NT box, why would he be stupid enough to add
a user to the system that would be obviously out of place.  Why would
he not add a machine name ID, or even a generic username and hope the
sys-admin doesn't notice.  Seeing the existance of ~testuser;") would
be a dead give-away that something is going on.

Regards;


Steve Manzuik
Moderator - Win2K Security Advice

- -----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use
<http://www.pgp.com>

iQA/AwUBObWmfDV9eGvIXwM6EQLndgCfUvQ+ZirXLrbJVCMe4wSBEwLHKEoAniAq
fcm7F9FJKYLc/8DgCMNEXHHB
=KVaY
- -----END PGP SIGNATURE-----

home help back first fref pref prev next nref lref last post