|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NT Screen Saver Password Protect Bug
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM - Subject: Re: NT Screen Saver Password Protect Bug
- From: David LeBlanc <dleblancISS.NET>
- Date: Tue, 24 Mar 1998 15:45:30 -0500
- Comments: To: Christopher L Buono <cbuonoALBANY.NET>
- In-Reply-To: <199803241501.KAA13089loki.iss.net>
- Reply-To: David LeBlanc <dleblancISS.NET>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
At 09:27 3/24/98 -0500, Christopher L Buono wrote:
>I want to address some of the responses to my original posting. Instead of
>responding to them individually I cut and pasted them into this one email.
>
>>"Maybe I'm missing something here, but isn't this another one of those
>>"once you have admin access you can crack the system" exploits? Don't
>>you need admin to connect to C$ or Admin$? And if you're admin already
>>you can just override the locked console."
>
>Just below the procedures I outlined in my original email I wrote almost the
>exact same thing. However, below that I identified a scenario where it could
>be exploited. It involves the difference between a resource domain admin and
>a master domain admin. See the original posting below.
This isn't even a hole. The permissions on .scr files are:
D:\WINNT\system32\logon.scr BUILTIN\Administrators:(OI)(CI)F
Everyone:(OI)(CI)R
NT AUTHORITY\SYSTEM:(OI)(CI)F
If you have permissions to write that file, then you can do ANYTHING to the
system, including replace and/or add device drivers (capture all the
keystokes, you name it).
Any time you log on to a machine, you have to have some level of trust in
the people who are admins on that box to begin with. The same thing is
true on UNIX systems - someone could have installed a keystroke monitor.
The lesson to take from this is to be aware of who the admins are, and
whether they have been compromised.
-----------------------------------------------------------
David LeBlanc | Voice: (770)395-0150 x138
Internet Security Systems, Inc. | Fax: (770)395-1972
41 Perimeter Center East | E-Mail: dleblanciss.net
Suite 660 | www: http://www.iss.net/
Atlanta, GA 30328 |
- Prev by Date: Re: NT Screen Saver Password Protect Bug
- Next by Date: Re: NT Screen Saver Password Protect Bug
- Prev by thread: Re: NT Screen Saver Password Protect Bug
- Next by thread: Re: NT Screen Saver Password Protect Bug
- Index(es):