[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Some comments on
From:       Mnemonix <mnemonix () GLOBALNET ! CO ! UK>
Date:       1999-07-30 21:20:00
[Download RAW message or body]

Microsoft have stated in their FAQ a number of things that I'd disagree with
or feel could do with more clarification

Forgive the copyright infringments

>For example, compromising a workstation would only allow the attacker to
elevate his or her privileges on the workstation, and would not allow >them
to gain privileges on the network at large.

By definition "arbitary code" is arbitary - in other words the attacker can
run what _they_ want. The exploit code posted earlier today will invisibly
run a batch file. If that batch file contains a command "addme.exe \\PDC"
and addme.exe happened to call the NetGroupAddUser() Win32 function and the
trap was sprung by a domain admin then yes, they can "gain privileges on the
network at large".

>The attacker would need several things in order to exploit this
vulnerability:
>Access to a machine that's also used by an administrator or another user
with more privileges than the attacker has

This point will be negated shortly - see *

>The ability to modify the other user's Dialer initialization file

On Windows NT Server and Workstation the same dialer.ini file is used by
everyone. Only Terminal Server gives everyone their own ini file.

>Some means of getting the other user to run Dialer
* "Good Morning, is that technical support? Ah good - I'm having problems
with...."
Why go to a machine where an admin logs on - get them to come to you.

End rant ;-)
Cheers,
David Litchfield
Arca Systems Inc, an Exodus Communications company
http://www.arca.com
http://www.infowar.co.uk/mnemonix

[prev in list] [next in list] [prev in thread] [next in thread]