[16594] in bugtraq
Re: Microsoft NT "un-removable user" Vulnerability.
daemon@ATHENA.MIT.EDU (Steve)
Wed Sep 6 00:38:46 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id: <NDBBKBPDOHLBFCALJJOOMEBBCNAA.steve@securesolutions.org>
Date: Tue, 5 Sep 2000 20:07:39 -0600
Reply-To: Steve <steve@SECURESOLUTIONS.ORG>
From: Steve <steve@SECURESOLUTIONS.ORG>
X-To: johnl@clearoption.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <NEBBJGMGPMHBNOKCDLALIEFICAAA.lists@darkcore.net>
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> Microsoft NT un-removable user Vulnerability.
> >
> Vulnerable: Tested on NT4 SP4. All version of NT are thought to be
> vulnerable.
Could not reproduce at SP6a.
> A vulnerability exists in the Microsoft Windows NT operating
> system in which
> a userid can be added which conations special characters which
> are normally
> not allowed. These special userids can not be removed using the
> normal user
> management interface as supplied from Microsoft.
What custom User Manager are you using. The normal interface
provided does not allow this, nor do a few of the more popular
add-ins to NT.
> The problem exists because the integrity checking on the userIDs
> occurs at the GUI level and not on the system itself.
I agree that this *COULD* be an issue but not a likely one.
> Exploit:
> A malicious user can create a user with special characters (e.g.
> testuser;) using a custom user management interface which does
> not perform validation checks on the userid. It then can not be
> removed using the standard WindowsNT user management interface.
Yes, but a simple net user ~testuser;") /delete will take care of
this.
> This could be a significant problem if the user was maliciously
> added into the Administrators group. A system scrub or another
> custom user management interface would be the only way to remove
> the user.
Incorrect. Net user /delete works just fine.
> Credit: This vulnerability was discovered by Jeff Also while
> developing a web based User Management interface.
> Reported:
> ---------
> I advised Microsoft Security about this on 28 Aug 2000. They
> responded that
> since they had no custom user management tools, they could not test
> this vulnerability.
I fail to see how this is a vulnerability. If a malicious user
already has "rooted" the NT box, why would he be stupid enough to add
a user to the system that would be obviously out of place. Why would
he not add a machine name ID, or even a generic username and hope the
sys-admin doesn't notice. Seeing the existance of ~testuser;") would
be a dead give-away that something is going on.
Regards;
Steve Manzuik
Moderator - Win2K Security Advice
- -----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use
<http://www.pgp.com>
iQA/AwUBObWmfDV9eGvIXwM6EQLndgCfUvQ+ZirXLrbJVCMe4wSBEwLHKEoAniAq
fcm7F9FJKYLc/8DgCMNEXHHB
=KVaY
- -----END PGP SIGNATURE-----