Re: Win XP - Renaming administrator, possible vulnerability?

["Mark Kahn - Lists" <imail () cwolves com>]

seems like a bug to me, even if the security risk isn't huge.  windows xp
doesn't allow you to create a _new_ user with a name that already exists,
why should it allow you to rename a user to one that already exists?

-Mark

----- Original Message -----
From: "Jones, Bob" <JonesB () students svcc edu>
To:     <security-basics () security-focus com>
Sent: Wednesday, October 23, 2002 8:37 PM
Subject: Win XP - Renaming administrator, possible vulnerability?


> Greetings to all,
>
> I've noticed on my WinXP machines that if I rename an existing user to
> another name (doesn't matter what), and rename the Administrator account
to
> the former name of that user account.  That I could log in to more than
one
> account with this name, simply depending upon which password was entered.
> Something is not right with this, but I'm not at a level to determine
> whether this can pose any kind of security vulnerability or not.
Microsoft
> says:  "Since you must enter the password for the accounts then the system
> is operating by design."  Is this just a strange bug?
>
> For example:
> Rename user account "user1" to "someone"
> rename administrator account "administrator" to "user1"
> Now with user1 entered in the login field, and user can enter either
> password to gain access to either account.
>
> Any thoughts/explanations/insights?
>
> Cheers!
>
> Bob Jones