[16643] in bugtraq
Re: Microsoft NT "un-removable user" Vulnerability.
daemon@ATHENA.MIT.EDU (David LeBlanc)
Thu Sep 7 16:31:31 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <3.0.5.32.20000907111534.03410a30@pop.mindspring.com>
Date: Thu, 7 Sep 2000 11:15:34 -0700
Reply-To: David LeBlanc <dleblanc@MINDSPRING.COM>
From: David LeBlanc <dleblanc@MINDSPRING.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3.0.5.32.20000906115603.034048b0@pop.mindspring.com>
After some more investigation, I wanted to follow up a little more -
At 11:56 AM 9/6/00 -0700, David LeBlanc wrote:
>I would strongly suspect that this 'vulnerability' was found because the
>persons testing this did not properly quote things on the command line. I
>once had a need to determine which characters were legitimate in a user
>name and wrote an app which added a user whose name was 0x01 and iterated
>through all the ASCII character set. Since I didn't want 256 users with
>weird names on my box, I then used the above API call to delete them. It
>did remove them all. As it turns out, the only characters not allowed are
>null and '\' - null is obvious, and the '\' isn't allowed because a fully
>qualified user name is presented as domain\user, but the system won't let
>you create a user with a '\' character in the name.
I wrote another app to iterate through all the possible ASCII characters
and tested it - sure enough, on an NT 4.0 system the only disallowed
character is '\'. I again cleaned up the users as I was creating them using
NetUserDel(), which proves that this API call is capable of removing users
with characters such as ;, " and ). I also ran the app on a Win2k system to
find that many more characters are not allowed. My guess is that this is
because under Win2k a fully-qualified user name can take 2 forms:
user@domain.company.com
or
DOMAIN\user
Restricting the character set to what would be allowed in an e-mail address
makes sense.
It also turns out that there are indeed some characters the usual
interfaces don't seem to like, but the following application nukes them
easily. I have not confirmed whether or not Win2k will remove them. If
someone would like to compile it up, post it on the web and send a URL,
that would be nice. Also, the app could be extended to read the user names
from a file, and that would get around some command-line issues, but I
don't have time to write that part this morning.
BTW, if someone has hacked your system to the point of being able to add
users with weird characters, you are !*SCREWED*! and have much more to
worry about than removing the users. As always, the correct response to
being hacked is to install fresh from known media, then transfer the data
after carefully checking it for validity. The WRONG response is to remove
the users, patch whatever hole you think they used, and go on with life
while the attackers chortle over the fact you left the rootkit in place. If
a sysadmin thinks it is a funny joke to do this, do really evil things to
them in return (a monitor cable adapter which switches red and green is
always fun), demote them to helpdesk or fire them. That said, this little
bit of code might help someone somewhere, and so...
================DeleteUser.cpp==============================
#define UNICODE
#include <windows.h>
#include <lm.h>
#include <stdio.h>
#pragma comment(lib, "netapi32.lib")
int wmain(int argc, WCHAR* argv[])
{
DWORD ret;
if(argc != 2)
{
wprintf(L"Usage is %s [username]\n", argv[0]);
return -1;
}
ret = NetUserDel(NULL, argv[1]);
if(ret == ERROR_SUCCESS)
{
wprintf(L"User %s deleted\n", argv[1]);
return 0;
}
else
{
wprintf(L"Could not delete user %s - err = %d\n", argv[1], ret);
return -1;
}
}
==================end DeleteUser.cpp=========================
David LeBlanc
dleblanc@mindspring.com
