Bugtraq mailing list archives
Re: Microsoft NT "un-removable user" Vulnerability.
From: David LeBlanc <dleblanc () MINDSPRING COM>
Date: Wed, 6 Sep 2000 11:56:03 -0700
At 08:07 PM 9/5/00 -0600, Steve wrote:
- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
A vulnerability exists in the Microsoft Windows NT operating system in which a userid can be added which conations special characters which are normally not allowed. These special userids can not be removed using the normal user management interface as supplied from Microsoft.
[snip]
Exploit: A malicious user can create a user with special characters (e.g. testuser;) using a custom user management interface which does not perform validation checks on the userid. It then can not be removed using the standard WindowsNT user management interface.
Yes, but a simple net user ~testuser;") /delete will take care of this.
To add to Steve's comments - The following API call is used to delete users: NET_API_STATUS NetUserDel( LPWSTR servername, LPWSTR username ); Note that it takes a UNICODE string as the argument, as some people might be using the Chinese or Japanese versions of NT. It would be extremely trivial to wrap this into an application, and if you use wmain(int argc, WCHAR* argv[]) instead of the ordinary main, your input will be in UNICODE. Simply reading from stdin and redirecting a file into it could remove a user with completely arbitrary characters. I would strongly suspect that this 'vulnerability' was found because the persons testing this did not properly quote things on the command line. I once had a need to determine which characters were legitimate in a user name and wrote an app which added a user whose name was 0x01 and iterated through all the ASCII character set. Since I didn't want 256 users with weird names on my box, I then used the above API call to delete them. It did remove them all. As it turns out, the only characters not allowed are null and '\' - null is obvious, and the '\' isn't allowed because a fully qualified user name is presented as domain\user, but the system won't let you create a user with a '\' character in the name. David LeBlanc dleblanc () mindspring com
Current thread:
- Microsoft NT "un-removable user" Vulnerability. John Lange (Sep 05)
- Re: Microsoft NT "un-removable user" Vulnerability. Steve (Sep 05)
- Re: Microsoft NT "un-removable user" Vulnerability. John Lange (Sep 06)
- Re: Microsoft NT "un-removable user" Vulnerability. Steve (Sep 06)
- Re: Microsoft NT "un-removable user" Vulnerability. Ben (Sep 07)
- Re: Microsoft NT "un-removable user" Vulnerability. John Lange (Sep 06)
- Re: Microsoft NT "un-removable user" Vulnerability. David LeBlanc (Sep 06)
- Re: Microsoft NT "un-removable user" Vulnerability. David LeBlanc (Sep 07)
- Re: Microsoft NT "un-removable user" Vulnerability. Steve (Sep 05)
- Re: Microsoft NT "un-removable user" Vulnerability. Jonathan Rickman (Sep 07)
- <Possible follow-ups>
- Re: Microsoft NT "un-removable user" Vulnerability. uh Clem (Sep 07)
- Re: Microsoft NT "un-removable user" Vulnerability. David LeBlanc (Sep 07)