Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Microsoft NT "un-removable user" Vulnerability.
From: David LeBlanc <dleblanc () MINDSPRING COM>
Date: Wed, 6 Sep 2000 11:56:03 -0700

At 08:07 PM 9/5/00 -0600, Steve wrote:
Hash: SHA1

A vulnerability exists in the Microsoft Windows NT operating
system in which
a userid can be added which conations special characters which
are normally
not allowed. These special userids can not be removed using the
normal user
management interface as supplied from Microsoft.


A malicious user can create a user with special characters (e.g.
 “testuser;”) using a custom user management interface which does
not perform validation checks on the userid. It then can not be
removed using the standard WindowsNT user management interface.

Yes, but a simple net user ~testuser;") /delete will take care of

To add to Steve's comments -

The following API call is used to delete users:
  LPWSTR servername,
  LPWSTR username

Note that it takes a UNICODE string as the argument, as some people might
be using the Chinese or Japanese versions of NT. It would be extremely
trivial to wrap this into an application, and if you use wmain(int argc,
WCHAR* argv[]) instead of the ordinary main, your input will be in UNICODE.
Simply reading from stdin and redirecting a file into it could remove a
user with completely arbitrary characters.

I would strongly suspect that this 'vulnerability' was found because the
persons testing this did not properly quote things on the command line.  I
once had a need to determine which characters were legitimate in a user
name and wrote an app which added a user whose name was 0x01 and iterated
through all the ASCII character set.  Since I didn't want 256 users with
weird names on my box, I then used the above API call to delete them.  It
did remove them all. As it turns out, the only characters not allowed are
null and '\' - null is obvious, and the '\' isn't allowed because a fully
qualified user name is presented as domain\user, but the system won't let
you create a user with a '\' character in the name.

David LeBlanc
dleblanc () mindspring com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]