Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NTBugtraq> 1999-q4

NTBugtraq And NTSecurity Archives: Re: SUBST problem

Re: SUBST problem

Subject: Re: SUBST problem
From: Forster, Jacques (Jacques.ForsterCOMPAQ.COM)
Date: Tue Dec 07 1999 - 02:01:52 CST

Next message: Gary Kuyat: "AuditBaseObjects set reveals Event 560 Object Access Audit when Taskmanager is running"
Previous message: Jeremy Kothe: "new IE5 remote exploit"
Maybe in reply to: Dave Tarbatt - ACS: "SUBST problem"
Maybe reply: Forster, Jacques: "Re: SUBST problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Place the attached script in your network login script to remove all subst
drives at each logon.

Cheers,

Jacques Forster
Compaq Professional Services
Solution Architect - Enterprise NT
Tel. + 32 (2) 729 71 38
Fax. + 32 (2) 729 81 30

-----Original Message-----
From: Dave Tarbatt - ACS [mailto:D.A.TarbattBOLTON.AC.UK]
Sent: mardi 30 novembre 1999 10:20
To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
Subject: SUBST problem

I've not seen this mentioned on any of the security mailing lists
(NTBUGTRAQ,
BUGTRAQ etc.) and I cannot find reference to it by searching microsoft.com.
I've e-mailed Microsoft about it on the 13th October but apart from a reply
saying "we'll look into it", no reply as yet.

*** The problem:
Tested with NT4WS SP3 and SP5.
SUBSTed drives are persistent between different logged on users. Users can
be
misled into saving data somewhere other than where they first thought,
running
trojaned executables etc.

*** To recreate (typical example):
An ordinary user logs onto the NT workstation and maps a drive to a
subdirectory:

SUBST M: C:\TEMP

They log off.

A second user logs onto the same workstation. The SUBSTed drive is still in
effect. Their profile defines that M: be their home directory, mapped to
\\SERVER\USERNAME$. It doesn't get connected and there is no error message.
The user saves their documents to what they believe to be their home drive
(M:) but in actual fact they end up in C:\TEMP.

They log off.

The first user comes back and reads their saved documents from C:\TEMP.
There
are many other possible exploits that this could be used for.

*** Workaround/fix:
None known. You could delete %WINDIR%\SYSTEM32\SUBST.EXE but someone could
always just run their own version from a floppy, network drive or whatever.
If you reboot the machine every time before you log in, SUBSTed drives are
removed. Maybe practical on workstations where you have EXEs run from
network
drives at login, not too practical on servers (but if you can't trust the
people who have access to them anyway....)

Dave,
http://redirect.to/null/
PGP fingerprint: AE23 A19C 3E5E 74F4 2193 4BB3 E154 54AF 1350 F4FC

application/octet-stream attachment: Remove_Subst_Drives.bat

Next message: Gary Kuyat: "AuditBaseObjects set reveals Event 560 Object Access Audit when Taskmanager is running"
Previous message: Jeremy Kothe: "new IE5 remote exploit"
Maybe in reply to: Dave Tarbatt - ACS: "SUBST problem"
Maybe reply: Forster, Jacques: "Re: SUBST problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Tue Dec 07 1999 - 02:25:32 CST