Bugtraq mailing list archives

FW: NT Security: Domain user adding self to Domain Admin group.

From: gkalbfle () CTC CTC EDU (Gary Kalbfleisch)
Date: Mon, 3 May 1999 10:15:40 -0700

Does anyone have an additional information on this?  We couldn't get it to
work.

-----Original Message-----
To: 'Gary K'
Subject: NT Security: Domain user adding self to Domain Admin group.

Gary,

Regarding the BUGTRAQ advisory you forwarded to me on the subject of an
ordinary Domain user promoting self same to a Domain Admin,  I was not able
to confirm that this exploit will work.  My research did turn up a security
breach using "reg.exe" form the NT Resource Kit Which I will document later
in this report.

For now I would like to document my methodology and have you possibly
forward it on to BUGTRAQ to see if anyone can enlighten us on where I went
wrong.

First I verified the various rights I thought would be involved. On the PDC
the group Everyone has "Access this computer from Network".  Rights to the
Registry Key in question ( HKLM\SoftWare\Microsoft\Windows
nt\CurrentVersion\ProfileList) are as follows; Administrators Full, System
Full, and the problem child Everyone; Special Access = Query Value, Set
Value, Create Subkey, Enumerate Subkeys, Notify & Read Control.

Next I created a couple of batch files to test the results or using Reg.exe.
One batch file using Reg Query to extract the current information in the
ProfileList Subkey and another batch file with Reg Update to write changes
to the value in  that Subkey.  To test that this would work I first ran
these batch file logged in with Admin Rights.  They both work fine I was
able to extract data from the Subkey and write the value I wanted to it.

The problem occurred when I logged in as an ordinary Domain user.  Using the
exact same batch files I was able to read the data in the ProfileList Subkey
and all its Subkeys but was not able to write the new values to that Key or
any Subkeys. When I would run the Reg Update batch file the error message
"access denied" was returned.

The security breach I mentioned in the first paragraph is that any Domain
user could use Reg Query to access information on any one including System
Admins that have logged in locally on the PDC or possibly other domain
computers.

John

Current thread:

Re: Possible Linuxconf Vulnerability Desync (May 01)
- Re: Possible Linuxconf Vulnerability Patrick J. Volkerding (May 01)
- Re: Possible Linuxconf Vulnerability Neale Banks (May 03)
- FW: NT Security: Domain user adding self to Domain Admin group. Gary Kalbfleisch (May 03)
- MSIE 5 favicon bug Flavio Veloso (May 03)
- <Possible follow-ups>
- Re: Possible Linuxconf Vulnerability Dan Merillat (May 05)