Bugtraq mailing list archives
Re: Microsoft NT "un-removable user" Vulnerability.
From: David LeBlanc <dleblanc () MINDSPRING COM>
Date: Thu, 7 Sep 2000 11:15:34 -0700
After some more investigation, I wanted to follow up a little more - At 11:56 AM 9/6/00 -0700, David LeBlanc wrote:
I would strongly suspect that this 'vulnerability' was found because the persons testing this did not properly quote things on the command line. I once had a need to determine which characters were legitimate in a user name and wrote an app which added a user whose name was 0x01 and iterated through all the ASCII character set. Since I didn't want 256 users with weird names on my box, I then used the above API call to delete them. It did remove them all. As it turns out, the only characters not allowed are null and '\' - null is obvious, and the '\' isn't allowed because a fully qualified user name is presented as domain\user, but the system won't let you create a user with a '\' character in the name.
I wrote another app to iterate through all the possible ASCII characters and tested it - sure enough, on an NT 4.0 system the only disallowed character is '\'. I again cleaned up the users as I was creating them using NetUserDel(), which proves that this API call is capable of removing users with characters such as ;, " and ). I also ran the app on a Win2k system to find that many more characters are not allowed. My guess is that this is because under Win2k a fully-qualified user name can take 2 forms: user () domain company com or DOMAIN\user Restricting the character set to what would be allowed in an e-mail address makes sense. It also turns out that there are indeed some characters the usual interfaces don't seem to like, but the following application nukes them easily. I have not confirmed whether or not Win2k will remove them. If someone would like to compile it up, post it on the web and send a URL, that would be nice. Also, the app could be extended to read the user names from a file, and that would get around some command-line issues, but I don't have time to write that part this morning. BTW, if someone has hacked your system to the point of being able to add users with weird characters, you are !*SCREWED*! and have much more to worry about than removing the users. As always, the correct response to being hacked is to install fresh from known media, then transfer the data after carefully checking it for validity. The WRONG response is to remove the users, patch whatever hole you think they used, and go on with life while the attackers chortle over the fact you left the rootkit in place. If a sysadmin thinks it is a funny joke to do this, do really evil things to them in return (a monitor cable adapter which switches red and green is always fun), demote them to helpdesk or fire them. That said, this little bit of code might help someone somewhere, and so... ================DeleteUser.cpp============================== #define UNICODE #include <windows.h> #include <lm.h> #include <stdio.h> #pragma comment(lib, "netapi32.lib") int wmain(int argc, WCHAR* argv[]) { DWORD ret; if(argc != 2) { wprintf(L"Usage is %s [username]\n", argv[0]); return -1; } ret = NetUserDel(NULL, argv[1]); if(ret == ERROR_SUCCESS) { wprintf(L"User %s deleted\n", argv[1]); return 0; } else { wprintf(L"Could not delete user %s - err = %d\n", argv[1], ret); return -1; } } ==================end DeleteUser.cpp========================= David LeBlanc dleblanc () mindspring com
Current thread:
- Microsoft NT "un-removable user" Vulnerability. John Lange (Sep 05)
- Re: Microsoft NT "un-removable user" Vulnerability. Steve (Sep 05)
- Re: Microsoft NT "un-removable user" Vulnerability. John Lange (Sep 06)
- Re: Microsoft NT "un-removable user" Vulnerability. Steve (Sep 06)
- Re: Microsoft NT "un-removable user" Vulnerability. Ben (Sep 07)
- Re: Microsoft NT "un-removable user" Vulnerability. John Lange (Sep 06)
- Re: Microsoft NT "un-removable user" Vulnerability. David LeBlanc (Sep 06)
- Re: Microsoft NT "un-removable user" Vulnerability. David LeBlanc (Sep 07)
- Re: Microsoft NT "un-removable user" Vulnerability. Steve (Sep 05)
- Re: Microsoft NT "un-removable user" Vulnerability. Jonathan Rickman (Sep 07)
- <Possible follow-ups>
- Re: Microsoft NT "un-removable user" Vulnerability. uh Clem (Sep 07)
- Re: Microsoft NT "un-removable user" Vulnerability. David LeBlanc (Sep 07)