Home page logo
/

bugtraq logo Bugtraq mailing list archives

Alert: Utility allows any user to become a member of local Admini
From: aleph1 () DFW NET (Aleph One)
Date: Tue, 8 Jul 1997 06:57:11 -0500


---------- Forwarded message ----------
Date: Fri, 4 Jul 1997 19:54:00 -0400
From: Russ <Russ.Cooper () RC ON CA>
To: NTBUGTRAQ () RC ON CA
Subject: Alert: Utility allows any user to become a member of local Admini strators group.

Today a utility was posted publicly which allows any user on an NT
system to become a member of the Administrators group of that system.
Testing is currently underway to determine the extent of the utilities
capabilities (e.g. whether its possible to become a domain Administrator
on a PDC or BDC). It is not possible to use the utility to make a domain
user a member of the domain administrators group, but it does work on
local accounts.

The utility requires no privileges, beyond those any normal user would
have, to allow it to do its work.

Microsoft have been notified (via email and Premiere support) and
supplied copies of the utility.

Here are David LeBlanc's initial comments;
  This utility consists of a DLL and an .exe, which adds a user to the
  administrator group.  The DLL contains the imports LsaOpenPolicy(),
and
  LsaClose(), which leads me to believe that it is opening the LSA
object,
  and has managed to manipulate it in some manner, perhaps by
intercepting
  a system call.

  This utility only works against a local account, and seems to have no
  effect vs. a domain account.

  It also creates a registry key: HKLM\Software\AntiShut, which will
give an
  indication if it has been run.  This key is created every time the app
has
  been run, regardless of whether it succeeds.

  I'm still investigating how it works, what it does, etc.

  David LeBlanc
  dleblanc () mindspring com

Cheers,
Russ
R.C. Consulting, Inc. - NT/Internet Security
owner of the NTBugTraq mailing list:
http://ntbugtraq.rc.on.ca/index.html



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]