OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Nelson Brito (nelsonSECUNET.COM.BR)
Date: Thu Feb 15 2001 - 14:35:19 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Well, like Ben told me, people are confused.

    OK, I'll try to make myself more clear.

    1 - When I said ordinary users have *WRITE ACCESS* on C$(C:\ ==
    %SystemDrive%) and ADMIN$(C:\WINNT == %SystemRoot%) by default, I meant
    ordinary(malicious) users have write access on their own C$ and ADMIN$,
    by default.

    The ordinary(maybe, malicious) users can place both files(once again
    AUTORUN2.EXE and AUTORUN.INF, INF instead INI) in those "ROOT
    DIRECTORIES"(SHARED).

    When Domain Admin mount the user's shared then he'll execute the
    "arbitary code".

    2 - Like I said: "If you already have write access at Admin's
    Home Directory, you are a Admin, so, the only thing you could do is:
    test the
    potencial vulnerability."

    It was a BIG mistake to do HOME DIRECTORY as a example, excuse me,
    again.

    3 - If you found a *WRITE SHARED* like \\MACHINE\Users or
    \\MACHINE\Application or \\MACHINE\Backup, on the network, you can do
    the folowing command I already posted:
    C:\> qtip -u <target> 1> users.txt
    C:\>FOR /F "tokens=1,*" %i IN (users.txt) DO net use \\TARGET\SHARE$ %i
    /u:%i

    So, you can put the files there and wait for the Admin mount those
    SHARES to do "things".

    4 - There are a lot of scenarios that we could explain and exploit, but
    it's not my main goal, so you can get your won ideas. ;)

    5 - I never saw this problem listed in "Windows NT's Checklists", did
    you?

    PS: Thanks to Ben to let me explain my own ideas.

    PPS: If someone still confused about this vulnerability, please read the
    Eric Stevens' original post at:
    http://www.securityfocus.com/archive/1/47338

    PPPS: The point was missundertood, the code, I can do a lot of "things"
    to test, to penetrate, to escale privileges, to send messages to you
    when the code was executed, etc... Focus...

    Ohhh... don't forget, change the "autorun.ini" to "autorun.inf".

    Thanks in Advanced.

    Sem mais,(in English "No More" :))) 

    --
Nelson Brito
"Windows NT can also be protected from nmap OS detection scans thanks
to *Nelson Brito* ..."
              Trecho do livro "Hack Proofing your Network", página 93