[16641] in bugtraq
Re: Microsoft NT "un-removable user" Vulnerability.
daemon@ATHENA.MIT.EDU (Ben)
Thu Sep 7 13:13:06 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.SOL.3.96.1000907083129.26728B-100000@draco.cus.cam.ac.uk>
Date: Thu, 7 Sep 2000 08:40:24 +0100
Reply-To: Ben <bda20@CAM.AC.UK>
From: Ben <bda20@CAM.AC.UK>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <NDBBKBPDOHLBFCALJJOOEECHCNAA.steve@securesolutions.org>
On Wed, 6 Sep 2000, Steve wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>> After your email, I retested this in NT4 SP6a and it is still true.
>>
>>
>What build? Any hotfixes? I have re-tested this on three different
>NT 4.0 SP6a+all hotfixes and cannot replicate the issue. I will ask
>again, what custom user manager are you using?
We have an NT4.0 Server with SP5+all current post SP5 hotfixes. While I have
been unable to replicate this user-specific bahaviour, I have noticed something
concerning the ADDUSERS command included in the NT4.0 Resource Kit.
If you use ADDUSERS and add the users and groups from a file, you're supposed
to seperate the values for each user/group (name, home dir, profile path) with
commas. My technician in her innocence used tabs. On reading in this file in
we ended up with a group of the name
TEMP|temporary group|jb100|js200|tr543
On trying to delete this group via the User Manager for Domains various errors
cropped up claiming the syntax was invalid or the volume label was invalid. It
took Hyena (http://www.adkins-resource.com/) to get rid of it. I wouldn't be
suprised if the "custom user manager" he's talking about is Hyena.
>> If I'm using the command incorrectly, please let me know. I'm not
>> sure how to escape characters in NT (I also tried "net user
>> testuser\; /delete" and various other forms but none worked.
>
>Try a "NET USER /?" to get the proper syntax. I use "NET USER
>testuser; /DELETE and it works fine on my test boxes. I am going to
>toss my SP4 image on to a box later today and see if there is a
>difference.
With our setup we were also unable to remove this bad group with any of the
command line utilities, resource kit or otherwise.
Ben
--
Sysadmin, Faculty of History, Cambridge University, England
Tel: +44 (0)1223 (3)35315 | Email: Ben@hist.cam.ac.uk
Plugger of wire, typer of keyboard, imparter of Clue
