Security issue??

[Brad Pears]

I was recently advised of an issue where a user with a local "restricted"
account on an XP Pro machine, somehow managed to grant himself
administrative rights...

Now, unless he knew the local admin password, or the password of one of the
other admins for the machine, is there any easy way that a 14 year old kid
could have done this??? (other than hacking the password etc...)

Thanks,

Brad

 

[Malke]

I was recently advised of an issue where a user with a local
"restricted" account on an XP Pro machine, somehow managed to grant
himself administrative rights...

Now, unless he knew the local admin password, or the password of one
of the other admins for the machine, is there any easy way that a 14
year old kid could have done this??? (other than hacking the password
etc...)

"Hacking the password" as you put it is completely brain-dead easy for
someone with physical access to the machine. Any smart tech-savvy
14-year old could do it. I suggest you have a talk with the kid.

Malke

 

[Sparda]

I was recently advised of an issue where a user with a local
"restricted"
account on an XP Pro machine, somehow managed to grant himself

administrative rights...

Now, unless he knew the local admin password, or the password
of one of the
other admins for the machine, is there any easy way that a 14
year old kid
could have done this??? (other than hacking the password
etc...)

Thanks,

Bra

Well, he could have used a clever service (that runs as system which
has compleate control) to run cmd, which would give him compleate
access to every thing and could run the user management thing and then
give him self admin rights, not exacly hard.

 

[Sparda]

Well, he could have used a clever service (that runs as system
which has compleate control) to run cmd, which would give him
compleate access to every thing and could run the user
management thing and then give him self admin rights, not
exacly hard

You ask how he could run a program via a service? well, he could have
found a service exe that he can change stuff, and replace the exe. If
this is not the case, it can be a bit more tricky, he would have had
to find a way to run a program as system with out going though a
service.

 

[Brad Pears]

Could you give me an actual example of how this could have been done , using
an actual running service?? I'm just not sure how he could have run
"command" from within the service in order to run the managment console to
give himself admin rights...

My guess is he must have hacked the password but you never know...

Well, he could have used a clever service (that runs as system
which has compleate control) to run cmd, which would give him
compleate access to every thing and could run the user
management thing and then give him self admin rights, not
exacly hard.

You ask how he could run a program via a service? well, he could have
found a service exe that he can change stuff, and replace the exe. If
this is not the case, it can be a bit more tricky, he would have had
to find a way to run a program as system with out going though a
service.

 

[Malke]

Could you give me an actual example of how this could have been done ,
using an actual running service?? I'm just not sure how he could have
run "command" from within the service in order to run the managment
console to give himself admin rights...

My guess is he must have hacked the password but you never know...

Why bother to mess around with services or anything that elaborate?
Simply boot with NTpasswd and change the Administrator password to a
blank. Then log in and do whatever you want. Takes less than 5 minutes.

Malke

 

[CReWdog]

You ask how he could run a program via a service? well, he could
have
found a service exe that he can change stuff, and replace the exe.
If
this is not the case, it can be a bit more tricky, he would have had
to find a way to run a program as system with out going though a
service.

Posted Via webservertalk.com Premium Usenet Newsgroup Services

Hi.
Dead easy, all he has to do is obtain a copy of the "system" & "sam"
files in the winnt/system32/config folder using a win98 boot disc & a
programme to copy the 2 files. He can then either extract the password
hashes & brute force them to get the password (takes a LONG time if a
strong password is used) or (much quicker) post the hashes onto a
certain site that has already decoded ALL possible hash combinations
(they use something called rainbow tables) then they compare your
hashes with the ones contained in the tables & tell you what the
corresponding password is).
OR... he could have logged into the admin account in safe mode.... you
DID put a password on it, didn't you??? (This account has no password
unless you set one.

Regards

CReWdog.

 

[Sparda]

know...

Why bother to mess around with services or anything that
elaborate?
Simply boot with NTpasswd and change the Administrator
password to a
blank. Then log in and do whatever you want. Takes less than 5
minutes.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

Well, the example that stuck in my mind was that at my High school,
Nortan antivirus couldnt update because it couldnt write to the hard
drive, so the school admins in all there wisedome allowed every one to
write to that folder, in cluding the noroton system monitor. So as you
do, it wrote a wee vb program thats soul pupose was to run cmd... as
system, so replacing the system monitor with my vb program... you see
where im going with this.

 

[Brad Pears]

Never heard of booting with NTpasswd - is that some sort of utility ?? I
know you can boot to the recovery console etc.. but you need admin password
for that...

Please elaborate!

Thanks,

Brad

 

[Torgeir Bakken \(MVP\)]

Never heard of booting with NTpasswd - is that some sort of utility ?? I
know you can boot to the recovery console etc.. but you need admin password
for that...

Please elaborate!

Hi,

http://home.eunet.no/~pnordahl/ntpasswd/

 

[Brad Pears]

Yes, I did put a password on the admin account. I have heard of what you
mentioned there regarding sending your files to a website and they'll tell
you what the password is... I tried that once before for a machine I could
not figure out the admin password on, had to run a utility that copied the
two files to floppy (likely the ones you mentioned) , then posted those two
files to the website and about a day later, I had the password. It worked
quite well actually!!!

Thanks for the input...