Re: Bug in WTS 4.0 on WinNT 4.0 sp4

From: Aaron Power (AaronPat_private)
Date: Wed Jun 09 1999 - 23:13:32 PDT

Next message: Aleph One: "Re: Windows NT 4.0, 95, 98 (?) networked PRN flaw"

Previous message: Chad Price: "Sun Useradd program expiration date bug"
Maybe in reply to: mRm3n4c3: "Bug in WTS 4.0 on WinNT 4.0 sp4"
Next in thread: Bill Stout: "Re: Bug in WTS 4.0 on WinNT 4.0 sp4"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I tried this on our test site consisting of a single WTS running Metaframe
(no load balancing obviously) and a single BDC and could NOT replicate the
fault as described.

Are your WTS machines configured as BDC's or member servers?

Aaron Power.


-----Original Message-----
From: mRm3n4c3 [mailto:mistrat_private]
Sent: Wednesday, June 09, 1999 9:07 AM
To: BUGTRAQat_private
Subject: Bug in WTS 4.0 on WinNT 4.0 sp4


I have recently encountered what i believe to be a bug in NT security when
using
Windows Terminal Server 4.0 on NT 4.00.1381 (Service Pack 4).

The problem occured in an environment with 2 WTS servers using Metaframe and
running a Loadbalancing
service, two file/ print servers also running Oracle databases and one name
server set
to be PDC.

The users homedirectories containing WTS/ NT profiles are located on the
PDC.

If you log on to the WTS and type the wrong password more than three times,
the your
account gets locked out. BUT, if you choose to continu trying anyway, and
after some
time manage to type in the correct password, the WTS will let you log on as
an
'anonymous user' account, using either a locally stored profile or a default
profile.

This beacause the PDC denies access to the homedir. The funny thing is, you
have
no access to the PDC, which only replies with 'your account is locked out',
but the WTS
ignores this and lets you browse the network, map up locally shared drives/
catalogues,
run command.com / cmd.exe or regedit/ regedt32. I have not found out what
kind of
access th user hasat this point, but more than he/ she should anyways...

Now, the user in this example was set up like this in usermgr:

Homedir path \\nt40pdc\usernameshare$
No terminal homedir
Allow logon, no timeouts.

This means two severe problems:
If the users profile is unavailable for some reason, the user is logged on
anyway.
The 'account locked out' function does not work on WTS

Well, this should be something to work on,
happy hunting!

(][mistr][)
(][there is no spoon][)

Next message: Aleph One: "Re: Windows NT 4.0, 95, 98 (?) networked PRN flaw"
Previous message: Chad Price: "Sun Useradd program expiration date bug"
Maybe in reply to: mRm3n4c3: "Bug in WTS 4.0 on WinNT 4.0 sp4"
Next in thread: Bill Stout: "Re: Bug in WTS 4.0 on WinNT 4.0 sp4"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:48:58 PDT