Isn't this all ancient news? I know I played around with a file locking
utility on win95's config.pol on nt4 (circa 98) and I'm fairly sure we
did it on config.pol on MS Lanman 2.x too (95/6, but that was long ago
and many of these things become blurred with time :o)

It may have even been well documented by various students as a
technique for bypassing some RM Connect (a UK Schools IT solution that
employed win9x/NTserver + custom tools) security. I haven't looked.

psydii

 --- "Y. W. Ko" <ywkocomcast.net> wrote: > Done some more digging....
>
> Took a look at the source code for "locker" downloaded from:
> http://www.geocities.com/robertrota2002/
>
> The mechanism used is not FileLock, but rather opening a file (using
> CreateFile()) with a sharemode of 0. I subsequently written a command
> line
> version and done some more experiments...
>
> It turns out that, as the original advisory
> (http://cert.uni-stuttgart.de/archive/bugtraq/2001/12/msg00080.html)
> suggested, you can use the same mechanism to lock any *.exe and
> *.dll,
> requiring only Read access. Tried it on a W2K workstation, locking
> "cmd.exe"
> would stop anyone from running the dos prompt, AND locking
> wsock32.dll would
> stop things like telnet and internet explorer, and presumably other
> winsock
> base services, from working altogether. PLUS, it even works through
> share,
> again, requiring only share level Read access.
>
> Am I therefore right in thinking that the Group Policy exploit is
> just an
> example of other more interesting things to come....
>
> Thanks,
>
> Ko
>
>
> > -----Original Message-----
> > From: Y. W. Ko [mailto:ywkocomcast.net]
> > Sent: Friday, February 01, 2002 5:33 PM
> > To: Skinner, Kit; 'Laura A. Robinson'; rob rota;
> > focus-mssecurityfocus.com
> > Subject: RE: Windows 2000/.Net Group Policy Locker
> >
> >
> > Surely, the said File Locking behavior under NT/2000 must have much
> wider
> > implication than just Group Policies. Just consider all the
> > system/application files that need to be readable by everyone.
> >
> > While doing some experiments to convince myself, it seems that an
> > EXCLUSIVE
> > lock would prevent other process from reading the file(eg. *.exe
> > *.dll), but
> > it doesn't seem to prevent the file from being executed,
> thankfully. Any
> > insight? (it doesn't take an expert to figure out why I was trying
> those
> > files :-))
> >
> > Cheers,
> >
> > Ko
> >
> > > -----Original Message-----
> > > From: Skinner, Kit [mailto:KSkinnersandstream.com]
> > > Sent: Thursday, January 31, 2002 3:08 PM
> > > To: 'Laura A. Robinson'; rob rota; focus-mssecurityfocus.com
> > > Subject: RE: Windows 2000/.Net Group Policy Locker
> > >
> > >
> > > They use that fact WinNT allow files to be Locked (EXCLUSIVELY)
> > by anyone
> > > that has at least read-only access to the file. They have a
> > link on their
> > > site that points to the German CERT discussion of it:
> > >
> http://cert.uni-stuttgart.de/archive/bugtraq/2001/12/msg00080.html
> > >
> > > As pointed out in the discussion, since someone can place
> > exclusive access
> > > to a read-only file, and all authenticating users need access to
> Group
> > > Policies, this program finds all copies of the Group Policies and
> places
> > > exclusive locks on the files, preventing other users from
> accessing it.
> > >
> > > -K
> >
> >
>

__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]