Bugtraq mailing list archives
Re: Microsoft NT "un-removable user" Vulnerability.
From: uh Clem <syke () NEWHACKCITY NET>
Date: Wed, 6 Sep 2000 18:29:30 -0700
On Tue, 5 Sep 2000, John Lange wrote:
Microsoft NT un-removable user Vulnerability. Vulnerable: Tested on NT4 SP4. All version of NT are thought to be vulnerable. A vulnerability exists in the Microsoft Windows NT operating system in which a userid can be added which conations special characters which are normally not allowed. These special userids can not be removed using the normal user management interface as supplied from Microsoft.
This seem to be (to me) a variation on a long known "problem" that has already been known to exist: In the NT Native API, all strings are created and dealt with in unicode, which is not NULL terminated. In the Win32 API, all strings are dealt with in ANSI, which is NULL terminated. This opens up the possibility to create a named object (regkey, file, named pipe, probably users/groups) using the NT API that the Win32 API will misinterpret the name of. Example: I use NtCreateDirectoryFile() (which is completely undocumented and unsupported by Microsoft), exported by NTDLL.DLL, to create a file called "\0H0WDY". The NULL preceding the object name will cause the Win32 call, CreateFile() to come up with an empty string in the UNICODE to ANSI conversion that occurs between the two APIs. This makes any references to the object fail, since the Win32 API will never be able to pass the "true" name down to the NT API. This is a technique one might use to make software practically unremoveable (like Netscape and AOL try to do), or to hide/disguise files infected with trojans/virii from virus scanners. It's about time Microsoft documented and supported this basic stuff so that makers of security/virus scanners, etc can make use of an API that malicious people are probably already using. ---- love, music, wine, and revolution.
Current thread:
- Microsoft NT "un-removable user" Vulnerability. John Lange (Sep 05)
- Re: Microsoft NT "un-removable user" Vulnerability. Steve (Sep 05)
- Re: Microsoft NT "un-removable user" Vulnerability. John Lange (Sep 06)
- Re: Microsoft NT "un-removable user" Vulnerability. Steve (Sep 06)
- Re: Microsoft NT "un-removable user" Vulnerability. Ben (Sep 07)
- Re: Microsoft NT "un-removable user" Vulnerability. John Lange (Sep 06)
- Re: Microsoft NT "un-removable user" Vulnerability. David LeBlanc (Sep 06)
- Re: Microsoft NT "un-removable user" Vulnerability. David LeBlanc (Sep 07)
- Re: Microsoft NT "un-removable user" Vulnerability. Steve (Sep 05)
- Re: Microsoft NT "un-removable user" Vulnerability. Jonathan Rickman (Sep 07)
- <Possible follow-ups>
- Re: Microsoft NT "un-removable user" Vulnerability. uh Clem (Sep 07)
- Re: Microsoft NT "un-removable user" Vulnerability. David LeBlanc (Sep 07)