mailing list archives
Some comments on http://www.microsoft.com/security/Bulletins/ms99-026faq.asp
From: mnemonix () GLOBALNET CO UK (Mnemonix)
Date: Fri, 30 Jul 1999 22:20:00 +0100
Microsoft have stated in their FAQ a number of things that I'd disagree with
or feel could do with more clarification
Forgive the copyright infringments
For example, compromising a workstation would only allow the attacker to
elevate his or her privileges on the workstation, and would not allow >them
to gain privileges on the network at large.
By definition "arbitary code" is arbitary - in other words the attacker can
run what _they_ want. The exploit code posted earlier today will invisibly
run a batch file. If that batch file contains a command "addme.exe \\PDC"
and addme.exe happened to call the NetGroupAddUser() Win32 function and the
trap was sprung by a domain admin then yes, they can "gain privileges on the
network at large".
The attacker would need several things in order to exploit this
Access to a machine that's also used by an administrator or another user
with more privileges than the attacker has
This point will be negated shortly - see *
The ability to modify the other user's Dialer initialization file
On Windows NT Server and Workstation the same dialer.ini file is used by
everyone. Only Terminal Server gives everyone their own ini file.
Some means of getting the other user to run Dialer
* "Good Morning, is that technical support? Ah good - I'm having problems
Why go to a machine where an admin logs on - get them to come to you.
End rant ;-)
Arca Systems Inc, an Exodus Communications company
- Some comments on http://www.microsoft.com/security/Bulletins/ms99-026faq.asp Mnemonix (Jul 30)