Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NTBugtraq> 1999-q3

NTBugtraq And NTSecurity Archives: Re: Alert: Exploit of RASMAN

Re: Alert: Exploit of RASMAN service key escalates privileges

Todd Sabin (tasWEBSPAN.NET)
Fri, 17 Sep 1999 15:23:05 -0400

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Boren, Rich: "Re: Compaq CIM UG Overwrites Legal Notice"
Previous message: Boren, Rich: "(I) UPDATE - PFCUser Account, Compaq Management Agents for server s for Microsoft windows NT"
Next in thread: Arne Vidstrom: "Re: Alert: Exploit of RASMAN service key escalates privileges"

Russ <Russ.CooperRC.ON.CA> writes:
> HKLM/SYSTEM/CCS/Services/RASMan
> ImagePath=
>
> which would normally have a value of
> "%systemroot%\system32\rasman.exe", and replaces it with the value
> entered into BERTZHOLE.EXE.
>
> The permissions on this key are;
>
> Administrators=Full Control
> System=Full Control
> Everyone=Special Access...
>
> Query Value
> Create Subkey
> Enumerate Subkey
> Notify
> Read Control
>
> so clearly, he should not be permitted to change its value.
>

The Dacl on the registry key has nothing (directly) to do with the
Dacl on the service. The Dacl on the service is contained in the
Security value under the Security subkey. This is a self-relative SD
which the Service Control Manager reads from the registry and enforces
at the RPC level. The SCM (running as SYSTEM) should be the entity
changing the actual registry values.

For the RasMan service, the Dacl contained in Security\Security gives
Everyone=Full Control.

> Microsoft have been informed about the issue.
>
> In the meantime, you may want to set auditing on the key in order to
> be alerted to any change to it. We have not tried modifying the
> permissions on it to see if there's a combination which still allow it
> to function properly while preventing this exploit from working.
>

What's needed is a utility which allows examining/updating the
permissions on services. I remember hearing noises about a utility
called servperm.exe from Microsoft, but it wasn't generally available.
Perhaps the Security Configuration Manager lets you do this? I
haven't played with it enough to know.

Todd

p.s. I checked out the SDs on every service on a test box I have.
RasMan was the only one with this problem. Here's the rundown,
for the curious. For detailed meanings of the Dacl bits, consult
winsvc.h. I can tell you that 000f01ff == Full Control, though...

AMDPCN
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

Afd
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

Alerter
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

AsyncMac
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

Browser
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

ClipSrv
Revision: 1
Reserved: 0
Control : 8014
Owner : 0000009c
Group : 000000a8
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 4 aces
  0002008d : Everyone (S-1-1-0)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  0002008f : BUILTIN\Power Users (S-1-5-32-547)
  0000009d : Interactive (S-1-5-4)

DHCP
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

IISADMIN
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

LanmanServer
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

LanmanWorkstation
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

LicenseService
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

LmHosts
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

MSDTC
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

MSFTPSVC
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

MSSQLServer
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

Messenger
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

NdisTapi
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

NdisWan
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

NetBIOS
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000cc
Group : 000000d8
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 6 aces
  00020000 : Everyone (S-1-1-0)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : SYSTEM (S-1-5-18)
  00020000 : BUILTIN\Power Users (S-1-5-32-547)
  0000009d : Interactive (S-1-5-4)
  0000009d : BUILTIN\Users (S-1-5-32-545)

NetBT
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

NetDDE
Revision: 1
Reserved: 0
Control : 8014
Owner : 0000009c
Group : 000000a8
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 4 aces
  0002008d : Everyone (S-1-1-0)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  0002008f : BUILTIN\Power Users (S-1-5-32-547)
  0000009d : Interactive (S-1-5-4)

NetDDEdsdm
Revision: 1
Reserved: 0
Control : 8014
Owner : 0000009c
Group : 000000a8
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 4 aces
  0002008d : Everyone (S-1-1-0)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  0002008f : BUILTIN\Power Users (S-1-5-32-547)
  0000009d : Interactive (S-1-5-4)

Netlogon
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

NtLmSsp
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000cc
Group : 000000d8
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 6 aces
  00020000 : Everyone (S-1-1-0)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : SYSTEM (S-1-5-18)
  00020000 : BUILTIN\Power Users (S-1-5-32-547)
  0000009d : Interactive (S-1-5-4)
  0000009d : BUILTIN\Users (S-1-5-32-545)

ProtectedStorage
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

RPCLOCATOR
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000cc
Group : 000000d8
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 6 aces
  00020000 : Everyone (S-1-1-0)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : SYSTEM (S-1-5-18)
  00020000 : BUILTIN\Power Users (S-1-5-32-547)
  0000009d : Interactive (S-1-5-4)
  0000009d : BUILTIN\Users (S-1-5-32-545)

RasAcd
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

RasArp
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

RasAuto
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

RasMan
Revision: 1
Reserved: 0
Control : 8014
Owner : 00000054
Group : 00000060
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
000f01ff : Everyone (S-1-1-0)
Dacl: 1 aces
000f01ff : Everyone (S-1-1-0)

Rdr
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

RemoteAccess
Revision: 1
Reserved: 0
Control : 8014
Owner : 00000080
Group : 0000008c
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 2 aces
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)

Replicator
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

RpcSs
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000cc
Group : 000000d8
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 6 aces
  00020000 : Everyone (S-1-1-0)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : SYSTEM (S-1-5-18)
  00020000 : BUILTIN\Power Users (S-1-5-32-547)
  0000009d : Interactive (S-1-5-4)
  0000009d : BUILTIN\Users (S-1-5-32-545)

SPUD
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

SQLExecutive
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

Srv
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

TapiSrv
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000b4
Group : 000000c0
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002008d : Everyone (S-1-1-0)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  0002008f : BUILTIN\Power Users (S-1-5-32-547)
  0000009d : Interactive (S-1-5-4)
  0000009d : BUILTIN\Users (S-1-5-32-545)

Tcpip
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

W3SVC
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

cisvc
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

vmx_svga
Revision: 1
Reserved: 0
Control : 8014
Owner : 000000c0
Group : 000000cc
Sacl : 00000014
Dacl : 00000034
Owner: SYSTEM (S-1-5-18)
Group: SYSTEM (S-1-5-18)
Sacl: 1 aces
  000f01ff : Everyone (S-1-1-0)
Dacl: 5 aces
  0002018d : Everyone (S-1-1-0)
  000201fd : BUILTIN\Power Users (S-1-5-32-547)
  000f01ff : BUILTIN\Administrators (S-1-5-32-544)
  000f01ff : BUILTIN\System Operators (S-1-5-32-549)
  000201fd : SYSTEM (S-1-5-18)

Next message: Boren, Rich: "Re: Compaq CIM UG Overwrites Legal Notice"
Previous message: Boren, Rich: "(I) UPDATE - PFCUser Account, Compaq Management Agents for server s for Microsoft windows NT"
Next in thread: Arne Vidstrom: "Re: Alert: Exploit of RASMAN service key escalates privileges"

This archive was generated by hypermail 2.0b3 on Fri Sep 17 1999 - 15:11:31 CDT