Security Basics mailing list archives
Re: Win XP - Renaming administrator, possible vulnerability?
From: "Mark Kahn - Lists" <imail () cwolves com>
Date: Thu, 24 Oct 2002 13:05:37 -0400
seems like a bug to me, even if the security risk isn't huge. windows xp doesn't allow you to create a _new_ user with a name that already exists, why should it allow you to rename a user to one that already exists? -Mark ----- Original Message ----- From: "Jones, Bob" <JonesB () students svcc edu> To: <security-basics () security-focus com> Sent: Wednesday, October 23, 2002 8:37 PM Subject: Win XP - Renaming administrator, possible vulnerability?
Greetings to all, I've noticed on my WinXP machines that if I rename an existing user to another name (doesn't matter what), and rename the Administrator account
to
the former name of that user account. That I could log in to more than
one
account with this name, simply depending upon which password was entered. Something is not right with this, but I'm not at a level to determine whether this can pose any kind of security vulnerability or not.
Microsoft
says: "Since you must enter the password for the accounts then the system is operating by design." Is this just a strange bug? For example: Rename user account "user1" to "someone" rename administrator account "administrator" to "user1" Now with user1 entered in the login field, and user can enter either password to gain access to either account. Any thoughts/explanations/insights? Cheers! Bob Jones
Current thread:
- Win XP - Renaming administrator, possible vulnerability? Jones, Bob (Oct 24)
- Re: Win XP - Renaming administrator, possible vulnerability? Mark Kahn - Lists (Oct 25)
- Re: Win XP - Renaming administrator, possible vulnerability? Mike Dresser (Oct 28)
- <Possible follow-ups>
- RE: Win XP - Renaming administrator, possible vulnerability? Orr, Brian D (EMA) (Oct 25)
- RE: Win XP - Renaming administrator, possible vulnerability? Mike Dresser (Oct 29)
- Re: Win XP - Renaming administrator, possible vulnerability? Mark Kahn - Lists (Oct 25)