Bugtraq mailing list archives
FW: NT Security: Domain user adding self to Domain Admin group.
From: gkalbfle () CTC CTC EDU (Gary Kalbfleisch)
Date: Mon, 3 May 1999 10:15:40 -0700
Does anyone have an additional information on this? We couldn't get it to work. -----Original Message----- To: 'Gary K' Subject: NT Security: Domain user adding self to Domain Admin group. Gary, Regarding the BUGTRAQ advisory you forwarded to me on the subject of an ordinary Domain user promoting self same to a Domain Admin, I was not able to confirm that this exploit will work. My research did turn up a security breach using "reg.exe" form the NT Resource Kit Which I will document later in this report. For now I would like to document my methodology and have you possibly forward it on to BUGTRAQ to see if anyone can enlighten us on where I went wrong. First I verified the various rights I thought would be involved. On the PDC the group Everyone has "Access this computer from Network". Rights to the Registry Key in question ( HKLM\SoftWare\Microsoft\Windows nt\CurrentVersion\ProfileList) are as follows; Administrators Full, System Full, and the problem child Everyone; Special Access = Query Value, Set Value, Create Subkey, Enumerate Subkeys, Notify & Read Control. Next I created a couple of batch files to test the results or using Reg.exe. One batch file using Reg Query to extract the current information in the ProfileList Subkey and another batch file with Reg Update to write changes to the value in that Subkey. To test that this would work I first ran these batch file logged in with Admin Rights. They both work fine I was able to extract data from the Subkey and write the value I wanted to it. The problem occurred when I logged in as an ordinary Domain user. Using the exact same batch files I was able to read the data in the ProfileList Subkey and all its Subkeys but was not able to write the new values to that Key or any Subkeys. When I would run the Reg Update batch file the error message "access denied" was returned. The security breach I mentioned in the first paragraph is that any Domain user could use Reg Query to access information on any one including System Admins that have logged in locally on the PDC or possibly other domain computers. John
Current thread:
- Re: Possible Linuxconf Vulnerability Desync (May 01)
- Re: Possible Linuxconf Vulnerability Patrick J. Volkerding (May 01)
- Re: Possible Linuxconf Vulnerability Neale Banks (May 03)
- FW: NT Security: Domain user adding self to Domain Admin group. Gary Kalbfleisch (May 03)
- MSIE 5 favicon bug Flavio Veloso (May 03)
- <Possible follow-ups>
- Re: Possible Linuxconf Vulnerability Dan Merillat (May 05)