Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

<vuln-dev> nt console compromise

From: auto114869 () hushmail com
Date: Wed, 16 May 2001 12:56:57 -0600 (CDT)
        well recently i was enlightened by a dfacer of a vulnerability that exists 
in nt4(ws/srv), some nt5(srv-pro), winme? xp? all sp's. though nt5 with 
proper acl's could prevent alot.

        its already caused me some headaches and has just added to my hared for 
m$ products. i've tested it on my 100+ open user lab and found nothing but 
headaches. if your in charge of say a school or a productive workplace with 
alot of end user sec. concerns then this pertains to you. i am running nt4 
workstations on whats basically entirely wintranet other than a couple nix 
fileservers. all workstations are used by various users throughout the day 
with little to no supervision. so you might understand the dilemma when 
i read '5 easy steps' off their defacement at all www.alldas.de of jokester.com. 

        well anyway curiously enough i decided to test it out and found it worked. 
on everything. it was pathetic. the 5 steps where as follows.

from the internet explorer window with it open and active (which is the 
only browser allowed on our stations with access restrictions, so if they 
type say 'http://www.blah.com&apos; they just get a vio.)

1. type ctrl + f1
*up opens up internet explorer help window, characterized by the friendly 
tone that plays an the lil dancing squares.

2. right click on the drag bar of the internet explorer help menu.

3. choose the 'jump to url...' command.
*up pops a dialog box.

4. enter any dir you would like to enter, example %systemroot%\winnt\system32\ 
to open up the cmd.exe for a cmd prompt and explorer.exe for a simplistc 
dir traversal. or a:\ to use toys.

5. hit enter and enjoy., because its all gui and simply says micros**t.

unfortunately with this i was able to bypass many restrictions allowing 
everything necessary to attack other machines internally easily. webpages 
which are supposedly restricted are viewable, also allowing the attack of 
intranet webservers (eg: win.tra.net/s.ida) etc. 

well thats about it, i'd was just lookin to know more about it. its already 
effected me once today. though an 'obzerve' of fux0r inc. thinks it quite 
humorous. except i suppose it kind of is lol. durnit windose... anyway any 
info appreciated.

gary


Free, encrypted, secure Web-based email at www.hushmail.com
Previous By Date Next
Previous By Thread Next

Current thread: