nt-part2_57
Analysis of the Security of Windows NT
1 March 1999
57
domain needs some way of knowing which possible users or groups that is to be given
rights in the trusting domain. But since the trusted domain does not trust the trusting
domain, remember trust is one-way, s/he needs a way of getting access to this informa-
tion. In this case the trusting domain will open anonymous channel to the trusted
domain to obtain this information. The problem is that the anonymous user will have
the rights of the everyone group and that group has far to much privileges. It is also not
possible to just block the everyone group without creating a new group with almost the
same privileges and then replace every occurrences of everyone to that group. If the
group is just blocked the system will not function properly.
Microsoft has released a hotfix and instructions on how to handle this situation but it is
still dependent on a lot of configuration. See Microsofts knowledge base article
Q143474 for more information.
Red Button is a program written by NTsecurity.com (Midwestern Commerce, inc.) that
demonstrates this weakness. According to them the program does the following.
logs on remotely to a Target computer without presenting any Username and Pass-
word.
shows that unauthorized access to sensitive information stored in file system and
registry available to EVERYONE group can be obtained.
determines the current name of Built in Administrator account (thus demonstrating
that it is useless to rename it).
reads several registry entries (i.e it displays the name of Registered Owner).
lists all shares (including the hidden ones).
shows that identifier Everyone includes not only legitimate users of the network but
everyone.
Some of this information can also be obtained without using the program if one has
access to an NT server, e.g. at home. The idea here is to try to establish a trust relation
with the attacked server as the trusted domain an the attacking server as the trusting
domain. This trust relation will probably fail since the trusting server does not posses
the right password, but the server will register the attacked servers as one of its trusted
domains and will by the anonymous channel get information such as account and user
names from the attacked server.
Intent. We will use the RedButton program on our target machine and see if it indeed
gives us the information claimed above.
Result. We executed the RedButton program. It worked nearly as stated above. How-
ever, it did not give us some of the promised Registry information.
7.7 Integrity Attacks
7.7.1 ERD Commander
Description. The possibility of booting a machine from a floppy, and then mount the
NTFS filesystem not only affects the confidentiality of the system. If it is possible to
write to the mounted filesystem, as well as read from it, then the integrity of the system