WinNT system->domain admin

[Illes Marci <illes () C3 HU>]

Hi All,

 I was playing with one of our companies WinNT box to figure out how to
gain domain admin access from system privileges. I finally managed to do
so, but I had some questions. I hope it's not absolutly off-topic, or it
is not an everybody knows thing.

 I started with the well-know IIS bug. In our enviroment, which is more or
less a default install, IIS runs as SYSTEM. I managed to upload an
ncx99.exe, which helped my life. We use exchange and webaccess to read our
mail remotely. (I know it is not secure running IIS and XCH on the same
box. And running IIS on a box connected, which is a member of the
domain.) So, I could gain SYSTEM privs on the box, it is fine, but I was
interested in the other computers as well. (I  could install a sniffer on
the box and catch some passwd, but I didn't like this way.) I took a
closer look at the XCH service, it ran as a Domain Admin user. Great! All
I had to do is to make XCH service start my ncx.exe. I checked the
registry key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service\XCH] or
whatever it is called. It has a field called "ImagePath", which contains
the executable to run, when the sytem starts. Only I had to do is to chage
this value to the location of ncx.exe. As SYSTEM it didn't make any
problem. I stoped the service with "net stop", I rewrote the
registry, and restarted the service(net start). It complained of some
errors, but it also stated my ncx99.exe, but stopped after a minute. It is
enogh to connect to port 99, where I have a shell with Domain Admin
privs. Now, I own the domain! I tried it with other services and it worked
fine.

 I was wondering, if it works for anybody else? (WinNT4 SP6a, IIS4, no
hot-fixes)

 As you can see having SYSTEM privs on a box running any service as Domain
Admin, means you have Domain Admin privs. I guess there are several other
way doing this. I don't have any other systems to check it, could anyone
confirm it? Is W2K also vulnerable?

Regards,

Marci

PS: I was just wondering, if it is possible to dump a single mailbox from
the XCH's huge database?