Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Microsoft NT "un-removable user" Vulnerability.
From: David LeBlanc <dleblanc () MINDSPRING COM>
Date: Wed, 6 Sep 2000 11:56:03 -0700

At 08:07 PM 9/5/00 -0600, Steve wrote:
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A vulnerability exists in the Microsoft Windows NT operating
system in which
a userid can be added which conations special characters which
are normally
not allowed. These special userids can not be removed using the
normal user
management interface as supplied from Microsoft.

[snip]

Exploit:
A malicious user can create a user with special characters (e.g.
 “testuser;”) using a custom user management interface which does
not perform validation checks on the userid. It then can not be
removed using the standard WindowsNT user management interface.

Yes, but a simple net user ~testuser;") /delete will take care of
this.

To add to Steve's comments -

The following API call is used to delete users:
NET_API_STATUS NetUserDel(
  LPWSTR servername,
  LPWSTR username
);

Note that it takes a UNICODE string as the argument, as some people might
be using the Chinese or Japanese versions of NT. It would be extremely
trivial to wrap this into an application, and if you use wmain(int argc,
WCHAR* argv[]) instead of the ordinary main, your input will be in UNICODE.
Simply reading from stdin and redirecting a file into it could remove a
user with completely arbitrary characters.

I would strongly suspect that this 'vulnerability' was found because the
persons testing this did not properly quote things on the command line.  I
once had a need to determine which characters were legitimate in a user
name and wrote an app which added a user whose name was 0x01 and iterated
through all the ASCII character set.  Since I didn't want 256 users with
weird names on my box, I then used the above API call to delete them.  It
did remove them all. As it turns out, the only characters not allowed are
null and '\' - null is obvious, and the '\' isn't allowed because a fully
qualified user name is presented as domain\user, but the system won't let
you create a user with a '\' character in the name.


David LeBlanc
dleblanc () mindspring com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]