Vulnerability Development mailing list archives
WinNT system->domain admin
From: Illes Marci <illes () C3 HU>
Date: Tue, 21 Nov 2000 00:10:19 +0100
Hi All, I was playing with one of our companies WinNT box to figure out how to gain domain admin access from system privileges. I finally managed to do so, but I had some questions. I hope it's not absolutly off-topic, or it is not an everybody knows thing. I started with the well-know IIS bug. In our enviroment, which is more or less a default install, IIS runs as SYSTEM. I managed to upload an ncx99.exe, which helped my life. We use exchange and webaccess to read our mail remotely. (I know it is not secure running IIS and XCH on the same box. And running IIS on a box connected, which is a member of the domain.) So, I could gain SYSTEM privs on the box, it is fine, but I was interested in the other computers as well. (I could install a sniffer on the box and catch some passwd, but I didn't like this way.) I took a closer look at the XCH service, it ran as a Domain Admin user. Great! All I had to do is to make XCH service start my ncx.exe. I checked the registry key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service\XCH] or whatever it is called. It has a field called "ImagePath", which contains the executable to run, when the sytem starts. Only I had to do is to chage this value to the location of ncx.exe. As SYSTEM it didn't make any problem. I stoped the service with "net stop", I rewrote the registry, and restarted the service(net start). It complained of some errors, but it also stated my ncx99.exe, but stopped after a minute. It is enogh to connect to port 99, where I have a shell with Domain Admin privs. Now, I own the domain! I tried it with other services and it worked fine. I was wondering, if it works for anybody else? (WinNT4 SP6a, IIS4, no hot-fixes) As you can see having SYSTEM privs on a box running any service as Domain Admin, means you have Domain Admin privs. I guess there are several other way doing this. I don't have any other systems to check it, could anyone confirm it? Is W2K also vulnerable? Regards, Marci PS: I was just wondering, if it is possible to dump a single mailbox from the XCH's huge database?
Current thread:
- WinNT system->domain admin Illes Marci (Nov 21)