Bugtraq mailing list archives
Comments on NT user list exploit
From: webroot () WEBROOT COM (webroot)
Date: Mon, 5 May 1997 14:19:25 -0400
A colleague of mine recently asked Microsoft if they would be releasing a fix for this problem. They responded by stating that this is not a bug and is a "non-issue" in their eyes. I would greatly appreciate comments on whether the security community believes this is a "non-issue" also. IMHO, I feel this is a major threat to NT networks. Granted the exploit cannot be performed over the Internet (this may be possible and is being investigated), but I don't enjoy the idea of anyone on my Intranet being able to get an entire user list including descriptions and group memberships without permission. (Being able to see a users group memberships is yet another example that renaming the admin account is useless.) I'm sure that most of you are aware that recent studies show 85% of breakins happen internally. Having a valid user name is a solution to half the problem of comprimising an account, being able to view group memberships allows for the selection of powerful acounts to target, and being able to view user descriptions can help with the guessing of passwords. Note: This exploit can be accomplished by ANYONE that installs NT server onto their computer. To perform my tests I used a barebones laptop, installed NT server on it and found a network line at an open office in my building to jack into, from there I was able to obtain user listings from all other NT servers on the LAN without having to authenticate myself to them! For those of you that didn't see my first post on how this exploit works here it is again: 1. Connect an NT server to the same network as the target NT server. 2. From the USER MANAGER, create a trust relashionship with the target. When prompted for a password, enter whatever you want; it doesn't matter. You will get a response stating that NT couldn't verify the trust (this is because of the invalid password). However, the target will now be on your trusting list. 3. Launch NT Explorer and right click on any folder. 4. Select SHARING. 5. From the SHARED window, select ADD. 6. From the ADD menu, select your target NT server. 7. You will now see the entire group listing of the target. And if you select SHOW USERS, you will see the entire user listing, including full names and descriptions. Comments are appreciated, maybe this should be considered a "non-issue" and we should all just forget about it :). Steve Thomas Vice President of Operations Innovative Protection Solutions http://www.ips-corp.com/
Current thread:
- Re: Buffer Overflows: A Summary, (continued)
- Re: Buffer Overflows: A Summary Lamont Granquist (May 03)
- Solaris lpNet & temp files (exploit) Chris Sheldon (May 03)
- Re: Solaris lpNet & temp files (exploit) Casper Dik (May 07)
- A bug in Elm fflush (May 04)
- Re: A bug in Elm Larry Schwimmer (May 04)
- Hole in the KDE desktop Alan Cox (May 05)
- A vulnerability in Lynx (all versions) fflush (May 05)
- Re: A vulnerability in Lynx (all versions) Theo de Raadt (May 05)
- SGI Security Advisory 19970101-02-PX - csetup Program SGI Security Coordinator (May 05)
- Re: Buffer Overflows: A Summary Thomas H. Ptacek (May 02)
- Comments on NT user list exploit webroot (May 05)
- Re: Buffer Overflows: A Summary Adam Shostack (May 05)
- Re: Buffer Overflows: A Summary Eilon Gishri (May 06)
- Administratrivia Aleph One (May 06)
- SGI Security Advisory 19970501-01-A - Vulnerability in webdist.cgi SGI Security Coordinator (May 06)
- Re: SGI Security Advisory 19970501-01-A - Vulnerability in Kari E. Hurtta (May 06)