[ISN] NT Server bug exposes user groups, users

From: mea culpa (jerichoat_private)
Date: Tue Dec 01 1998 - 21:18:47 PST

  • Next message: mea culpa: "[ISN] World: A Computer Hacker Explains His Perspective"

      This message is in MIME format.  The first part should be readable text,
      while the remaining parts are likely unreadable without MIME-aware tools.
      Send mail to mimeat_private for more info.
    Content-Type: TEXT/PLAIN; CHARSET=us-ascii
    Content-ID: <Pine.SUN.3.96.981201050953.21126Oat_private>
    Forwarded From: Virus News <spam@mail-me.com>
    Posted to: Virus News 12/01/98
    NT Server bug exposes user groups, users
    By Scott Berinato
    A bug in Microsoft Corp.'s NT Server 4.0 can expose a server's user groups
    and users, according to tests done by PC Week Labs. 
    The bug only affects NT servers set to default settings with no firewall
    protection, a configuration rarely seen unless users are not concerned
    with security. So while administrators ought to be concerned, simple
    precautions can prevent the situation, PC Week Labs analysts said. 
    However, on a Web page posted by "Vitali Chkliar," 10 companies are listed
    as susceptible to the bug as of November 25. To prove the point, Chkliar
    has links to the companies' hacked information. 
    Chkliar also has two ASP (Active Server Pages) applications available at
    the site that will expose any site under the base NT configuration without
    a firewall. Users only need to know a server's IP address to learn the
    server's group names. Given the IP address and a group name, a hacker
    could pull user names from the server, according to the site. 
    Chkliar could not be reached for comment. His site contains no e-mail
    address or contact information and attempts to locate him have proven
    unsuccessful. The Web page says that "It is also possible through lower
    level API to get read, write access to the registry and folders of the
    target computer, configured with default settings." 
    Karan Khanna, lead product manager for Windows NT security at Microsoft,
    in Redmond, Wash., said this is not a security issue and that the function
    Chkliar provides on his Web page is available through a base-level API. 
    "What's happening is, whenever you configure a server, we tell people to
    lock down the server appropriately so you can control the access to
    server,"  Khanna said. "In this situation, you haven't locked out the
    appropriate ports and haven't set the right access controls. We tell
    customers exactly how to lock down the systems. If you do it, this is a
    Khanna also said the API does not allow write access, but it will allow
    read capabilities. 
    "In Service Pack 4, we have a security configuration editor which allows
    automatic lock-down of NT Server," he said. 
    Service Pack 4 is available now from Microsoft at www.microsoft.com. 
    (For security considerations, Chkliar's Web site and the names of the
    hacked companies have been omitted from this story.) 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:12:57 PDT