Does anyone have an additional information on this? We couldn't get it to work. -----Original Message----- To: 'Gary K' Subject: NT Security: Domain user adding self to Domain Admin group. Gary, Regarding the BUGTRAQ advisory you forwarded to me on the subject of an ordinary Domain user promoting self same to a Domain Admin, I was not able to confirm that this exploit will work. My research did turn up a security breach using "reg.exe" form the NT Resource Kit Which I will document later in this report. For now I would like to document my methodology and have you possibly forward it on to BUGTRAQ to see if anyone can enlighten us on where I went wrong. First I verified the various rights I thought would be involved. On the PDC the group Everyone has "Access this computer from Network". Rights to the Registry Key in question ( HKLM\SoftWare\Microsoft\Windows nt\CurrentVersion\ProfileList) are as follows; Administrators Full, System Full, and the problem child Everyone; Special Access = Query Value, Set Value, Create Subkey, Enumerate Subkeys, Notify & Read Control. Next I created a couple of batch files to test the results or using Reg.exe. One batch file using Reg Query to extract the current information in the ProfileList Subkey and another batch file with Reg Update to write changes to the value in that Subkey. To test that this would work I first ran these batch file logged in with Admin Rights. They both work fine I was able to extract data from the Subkey and write the value I wanted to it. The problem occurred when I logged in as an ordinary Domain user. Using the exact same batch files I was able to read the data in the ProfileList Subkey and all its Subkeys but was not able to write the new values to that Key or any Subkeys. When I would run the Reg Update batch file the error message "access denied" was returned. The security breach I mentioned in the first paragraph is that any Domain user could use Reg Query to access information on any one including System Admins that have logged in locally on the PDC or possibly other domain computers. John
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:44:42 PDT