Everhart, Glenn
From:	Nemo [mnemonix@globalnet.co.uk]
Sent:	Thursday, June 11, 1998 11:11 PM
To:	ntsecurity@iss.net
Subject:	[NTSEC] New Exploit  - Get Admin Rights

TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net
Contact ntsecurity-owner@iss.net for help with any problems!
---------------------------------------------------------------------------

Dear All,
I have recently found a really easy way to get Admin rights on an NT
box....
so easy I'm surprised it wasn't discovered earlier.

Here we go:

A plain old user has write access to the winnt\system32 directory.
He renames logon.scr to logon.old.
He then renames usrmgr.exe (or musrmgr.exe on Workstations) to logon.scr.
He then shuts down the computer using the "close all programs and log on as
different user" option.
He then waits.....
The system will start logon.scr if left long enough.
User Manager will load......
The user then selects his domain. (You have to type the domain name in)
He then adds himself to the Administrators group.
He then exits and logs back on.

Some of you may be thinking that as soon as you move the mouse the "screen
saver" should disappear but because you can only get rid of logon.scr with
a ctrl+alt+del you can then use the mouse 'til your heart's content.

To solve this :
Ensure that a plain old user only has "read" rights to the winnt\system32
directory.
Also make sure that the registry has the correct permissions assigned so
the user can specify a different  location etc for logon.scr.

l8r
Mnemonix