G
Gordon Fecyk
I was testing a new software kit for a client of mine. The clients run
their software as restricted users on Windows 2000 Pro, where the servers
are NT4 in an NT4 domain.
Normally, Domain Users run as "users" (called "limited users" on XP and
"restricted users" on Win2K). On a whim I tried installing one of Gator's
little toys, Dashbar, as a limited user.
The web-based installation failed as I expected, but they had a lovely
"workaround" for that: Just download the .exe installer and run that.
Strangely enough, this thing not only managed to install itself, create a
directory in Program Files, and write a file into C:\WINNT\Temp (which is
normally read-only to restricted users) but managed to write to Registry
keys that wee clearly marked as Read-Only for restricted users.
I'm guessing that the installer's using some kind of exploit, such as
brute-forcing the administrator password (which is not blank and not easily
guessable), or somehow running as the SYSTEM user. I'm going to try this
again in a more controlled environment and turn auditing on to determine
what user account the thing's writing to these keys with.
Someone happen to know how a limited user can write to read-only portions of
a NTFS file system and the Registry in order to install stuff?
their software as restricted users on Windows 2000 Pro, where the servers
are NT4 in an NT4 domain.
Normally, Domain Users run as "users" (called "limited users" on XP and
"restricted users" on Win2K). On a whim I tried installing one of Gator's
little toys, Dashbar, as a limited user.
The web-based installation failed as I expected, but they had a lovely
"workaround" for that: Just download the .exe installer and run that.
Strangely enough, this thing not only managed to install itself, create a
directory in Program Files, and write a file into C:\WINNT\Temp (which is
normally read-only to restricted users) but managed to write to Registry
keys that wee clearly marked as Read-Only for restricted users.
I'm guessing that the installer's using some kind of exploit, such as
brute-forcing the administrator password (which is not blank and not easily
guessable), or somehow running as the SYSTEM user. I'm going to try this
again in a more controlled environment and turn auditing on to determine
what user account the thing's writing to these keys with.
Someone happen to know how a limited user can write to read-only portions of
a NTFS file system and the Registry in order to install stuff?