Penetration Testing mailing list archives
[PEN-TEST] AUTORUN Vulnerability - Round 2
From: Nelson Brito <nelson () SECUNET COM BR>
Date: Thu, 15 Feb 2001 17:35:19 -0300
Well, like Ben told me, people are confused. OK, I'll try to make myself more clear. 1 - When I said ordinary users have *WRITE ACCESS* on C$(C:\ == %SystemDrive%) and ADMIN$(C:\WINNT == %SystemRoot%) by default, I meant ordinary(malicious) users have write access on their own C$ and ADMIN$, by default. The ordinary(maybe, malicious) users can place both files(once again AUTORUN2.EXE and AUTORUN.INF, INF instead INI) in those "ROOT DIRECTORIES"(SHARED). When Domain Admin mount the user's shared then he'll execute the "arbitary code". 2 - Like I said: "If you already have write access at Admin's Home Directory, you are a Admin, so, the only thing you could do is: test the potencial vulnerability." It was a BIG mistake to do HOME DIRECTORY as a example, excuse me, again. 3 - If you found a *WRITE SHARED* like \\MACHINE\Users or \\MACHINE\Application or \\MACHINE\Backup, on the network, you can do the folowing command I already posted: C:\> qtip -u <target> 1> users.txt C:\>FOR /F "tokens=1,*" %i IN (users.txt) DO net use \\TARGET\SHARE$ %i /u:%i So, you can put the files there and wait for the Admin mount those SHARES to do "things". 4 - There are a lot of scenarios that we could explain and exploit, but it's not my main goal, so you can get your won ideas. ;) 5 - I never saw this problem listed in "Windows NT's Checklists", did you? PS: Thanks to Ben to let me explain my own ideas. PPS: If someone still confused about this vulnerability, please read the Eric Stevens' original post at: http://www.securityfocus.com/archive/1/47338 PPPS: The point was missundertood, the code, I can do a lot of "things" to test, to penetrate, to escale privileges, to send messages to you when the code was executed, etc... Focus... Ohhh... don't forget, change the "autorun.ini" to "autorun.inf". Thanks in Advanced. Sem mais,(in English "No More" :))) -- Nelson Brito "Windows NT can also be protected from nmap OS detection scans thanks to *Nelson Brito* ..." Trecho do livro "Hack Proofing your Network", página 93
Current thread:
- [PEN-TEST] AUTORUN Vulnerability - Round 2 Nelson Brito (Feb 16)