Comments on NT user list exploit

webroot (webroot@WEBROOT.COM)
Mon, 05 May 1997 14:19:25 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: SGI Security Coordinator: "SGI Security Advisory 19970501-01-A - Vulnerability in webdist.cgi"
Previous message: Adam Shostack: "Re: Buffer Overflows: A Summary"

A colleague of mine recently asked Microsoft if they would be releasing
a fix for this problem. They responded by stating that this is not a
bug and is a "non-issue" in their eyes. I would greatly appreciate
comments on whether the security community believes this is a
"non-issue" also. IMHO, I feel this is a major threat to NT networks.
Granted the exploit cannot be performed over the Internet (this may be
possible and is being investigated), but I don't enjoy the idea of
anyone on my Intranet being able to get an entire user list including
descriptions and group memberships without permission. (Being able to
see a users group memberships is yet another example that renaming the
admin account is useless.) I'm sure that most of you are aware that
recent studies show 85% of breakins happen internally. Having a valid
user name is a solution to half the problem of comprimising an account,
being able to view group memberships allows for the selection of
powerful acounts to target, and being able to view user descriptions can
help with the guessing of passwords.

Note: This exploit can be accomplished by ANYONE that installs NT server
onto their computer. To perform my tests I used a barebones laptop,
installed NT server on it and found a network line at an open office in
my building to jack into, from there I was able to obtain user listings
from all other NT servers on the LAN without having to authenticate
myself to them!

For those of you that didn't see my first post on how this exploit works
here it is again:

1. Connect an NT server to the same network as the target NT
server.

2. From the USER MANAGER, create a trust relashionship with the
target. When prompted for a password, enter whatever you want; it
doesn't matter. You will get a response stating that NT couldn't verify
the trust (this is because of the invalid password). However, the
target will now be on your trusting list.

3. Launch NT Explorer and right click on any folder.

4. Select SHARING.

5. From the SHARED window, select ADD.

6. From the ADD menu, select your target NT server.

7. You will now see the entire group listing of the target. And if
you select SHOW USERS, you will see the entire user listing, including
full names and descriptions.

Comments are appreciated, maybe this should be considered a "non-issue"
and we should all just forget about it :).

Steve Thomas
Vice President of Operations
Innovative Protection Solutions
http://www.ips-corp.com/

Next message: SGI Security Coordinator: "SGI Security Advisory 19970501-01-A - Vulnerability in webdist.cgi"
Previous message: Adam Shostack: "Re: Buffer Overflows: A Summary"