Re: Microsoft NT "un-removable user" Vulnerability.

[uh Clem <syke () NEWHACKCITY NET>]

On Tue, 5 Sep 2000, John Lange wrote:

> Microsoft NT un-removable user Vulnerability.
>
> Vulnerable: Tested on NT4 SP4. All version of NT are thought to be
> vulnerable.
>
> A vulnerability exists in the Microsoft Windows NT operating system in which
> a userid can be added which conations special characters which are normally
> not allowed. These special userids can not be removed using the normal
> user management interface as supplied from Microsoft.

This seem to be (to me) a variation on a long known "problem" that has
already been known to exist:

In the NT Native API, all strings are created and dealt with in unicode,
which is not NULL terminated. In the Win32 API, all strings are dealt with
in ANSI, which is NULL terminated.

This opens up the possibility to create a named object (regkey, file,
named pipe, probably users/groups) using the NT API that the Win32 API
will misinterpret the name of. Example:

I use NtCreateDirectoryFile() (which is completely undocumented and
unsupported by Microsoft), exported by NTDLL.DLL, to create a file
called "\0H0WDY". The NULL preceding the object name will cause the Win32
call, CreateFile() to come up with an empty string in the UNICODE to ANSI
conversion that occurs between the two APIs. This makes any references to
the object fail, since the Win32 API will never be able to pass the "true"
name down to the NT API.

This is a technique one might use to make software practically
unremoveable (like Netscape and AOL try to do), or to hide/disguise
files infected with trojans/virii from virus scanners.

It's about time Microsoft documented and supported this basic stuff so
that makers of security/virus scanners, etc can make use of an API that
malicious people are probably already using.


----
love, music, wine, and revolution.