Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NTBugtraq> 1998-1999

Follow up - Domain user to Domain Admin - Profiles and the R

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Follow up - Domain user to Domain Admin - Profiles and the Registry

To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
Subject: Follow up - Domain user to Domain Admin - Profiles and the Registry
From: Mnemonix <mnemonixGLOBALNET.CO.UK>
Date: Wed, 5 May 1999 18:00:06 +0100
Approved-By: Russ.CooperRC.ON.CA
Comments: cc: ntsecurityiss.net, bugtraqnetspace.org, dleblancmicrosoft.com, scottcumicrosoft.com
Reply-To: Mnemonix <mnemonixGLOBALNET.CO.UK>
Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>

There has been some questions over whether it is possible to "trojan" a profile and get the domain administrator to pick it up. Sometimes this works over the network sometimes not - thanks to all who have tried. Below is a sure fire way of getting this to succeed. I have tested this on both SP3 and SP4 machines and it has worked consistently:

Network setup:

NT Server 4 (SP4) Primary Domain Controller for domain TEST is called PDC.
NT Workstation 4 (SP4) client which is part of the TEST domain. This machine is called CLIENT.

The Administrator has a local profile stored on PDC.
All other domain users have a roaming profile - their profiles are stored in the %systemroot%\profiles directory which is shared as Profiles (\\PDC\profiles)
The share permissions give Everybody Full Control of the share but using NTFS permissions to tighten access to other peoples profiles meaning that only the user can access their profile in any way (with the exception of Administrators)

Domain User testacc logs onto CLIENT. Using reg.exe or a tool of their own making, they access the Registry of PDC. The winreg key on PDC specifies that only Administrators may access the registry remotely but the AllowedPaths specify that HKLM\Software\Microsoft\Windows NT\CurrentVersion is an allowed path. This is default. testacc changes the Administrator's ProfileImagePath to point to %systemroot%\profiles\testacc and then places a self deleting batch file in the Start Up folder. This batch file, when run with enough privileges will add testacc to the Domain Admins group. The next time Administrator logs onto PDC they pick up testacc's profile and the batch file is run making testacc a domain admin.

If anyone can still not repro this with this setup, then please let me know

Cheers,
David Litchfield
http://www.infowar.co.uk/mnemonix
http://www.arca.com

Prev by Date: Re: NAI AntiVirus Update Problem (fwd)
Next by Date: Windows NT4 Bastion Host Whitepaper
Prev by thread: Re: NAI AntiVirus Update Problem (fwd)
Next by thread: Windows NT4 Bastion Host Whitepaper
Index(es):
- Date
- Thread