FW: NT Security: Domain user adding self to Domain Admin group.

From: Gary Kalbfleisch (gkalbfleat_private)
Date: Mon May 03 1999 - 10:15:40 PDT

Next message: David Adrian: "Re: *Huge* security hole in Oracle 8.0.5 with Intellegent agent"

Previous message: Przemyslaw Frasunek: "Re: Buffer overflow in ftpd and locate bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Does anyone have an additional information on this?  We couldn't get it to
work.

-----Original Message-----
To: 'Gary K'
Subject: NT Security: Domain user adding self to Domain Admin group.

Gary,

Regarding the BUGTRAQ advisory you forwarded to me on the subject of an
ordinary Domain user promoting self same to a Domain Admin,  I was not able
to confirm that this exploit will work.  My research did turn up a security
breach using "reg.exe" form the NT Resource Kit Which I will document later
in this report.

For now I would like to document my methodology and have you possibly
forward it on to BUGTRAQ to see if anyone can enlighten us on where I went
wrong.

First I verified the various rights I thought would be involved. On the PDC
the group Everyone has "Access this computer from Network".  Rights to the
Registry Key in question ( HKLM\SoftWare\Microsoft\Windows
nt\CurrentVersion\ProfileList) are as follows; Administrators Full, System
Full, and the problem child Everyone; Special Access = Query Value, Set
Value, Create Subkey, Enumerate Subkeys, Notify & Read Control.

Next I created a couple of batch files to test the results or using Reg.exe.
One batch file using Reg Query to extract the current information in the
ProfileList Subkey and another batch file with Reg Update to write changes
to the value in  that Subkey.  To test that this would work I first ran
these batch file logged in with Admin Rights.  They both work fine I was
able to extract data from the Subkey and write the value I wanted to it.

The problem occurred when I logged in as an ordinary Domain user.  Using the
exact same batch files I was able to read the data in the ProfileList Subkey
and all its Subkeys but was not able to write the new values to that Key or
any Subkeys. When I would run the Reg Update batch file the error message
"access denied" was returned.

The security breach I mentioned in the first paragraph is that any Domain
user could use Reg Query to access information on any one including System
Admins that have logged in locally on the PDC or possibly other domain
computers.

John

Next message: David Adrian: "Re: *Huge* security hole in Oracle 8.0.5 with Intellegent agent"
Previous message: Przemyslaw Frasunek: "Re: Buffer overflow in ftpd and locate bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:44:42 PDT