nt4+sp4.wts.4.0.txt

1999-08-17T00:00:00
ID PACKETSTORM:11820
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Wed, 9 Jun 1999 01:07:04 +0200  
From: mRm3n4c3 <mistr@marmelade.net>  
To: BUGTRAQ@netspace.org  
Subject: Bug in WTS 4.0 on WinNT 4.0 sp4  
  
I have recently encountered what i believe to be a bug in NT security when using  
Windows Terminal Server 4.0 on NT 4.00.1381 (Service Pack 4).  
  
The problem occured in an environment with 2 WTS servers using Metaframe and running a Loadbalancing  
service, two file/ print servers also running Oracle databases and one name server set  
to be PDC.  
  
The users homedirectories containing WTS/ NT profiles are located on the PDC.  
  
If you log on to the WTS and type the wrong password more than three times, the your  
account gets locked out. BUT, if you choose to continu trying anyway, and after some  
time manage to type in the correct password, the WTS will let you log on as an  
'anonymous user' account, using either a locally stored profile or a default profile.  
  
This beacause the PDC denies access to the homedir. The funny thing is, you have  
no access to the PDC, which only replies with 'your account is locked out', but the WTS  
ignores this and lets you browse the network, map up locally shared drives/ catalogues,  
run command.com / cmd.exe or regedit/ regedt32. I have not found out what kind of  
access th user hasat this point, but more than he/ she should anyways...  
  
Now, the user in this example was set up like this in usermgr:  
  
Homedir path \\nt40pdc\usernameshare$  
No terminal homedir  
Allow logon, no timeouts.  
  
This means two severe problems:  
If the users profile is unavailable for some reason, the user is logged on anyway.  
The 'account locked out' function does not work on WTS  
  
Well, this should be something to work on,  
happy hunting!  
  
(][mistr][)  
(][there is no spoon][)  
  
-------------------------------------------------------------------------------  
  
Date: Thu, 10 Jun 1999 16:58:39 +0200  
From: mRm3n4c3 <mistr@marmelade.net>  
To: BUGTRAQ@netspace.org  
Subject: Re: Bug in WTS 4.0 on WinNT 4.0 sp4  
  
I'm sorry to see I have neglected to inform you of this.  
There is another NT file/ print server running also exchange 5.0...  
It is this server that is set to be BDC.  
Again, sorry for not telling you all this right away.  
  
(][mistr][)  
(][there is no spoon][)  
  
*********** REPLY SEPARATOR ***********  
  
On 10.06.99 at 16:13 Aaron Power wrote:  
>  
>Are your WTS machines configured as BDC's or member servers?  
>  
>Aaron Power.  
  
  
.·°\|/°`'´°·.:[(mistr@marmelade.net)]:.·°`'´°\|/°·.  
  
-------------------------------------------------------------------------------  
  
Date: Thu, 10 Jun 1999 16:13:32 +1000  
From: Aaron Power <AaronP@MINCOM.COM>  
To: BUGTRAQ@netspace.org  
Subject: Re: Bug in WTS 4.0 on WinNT 4.0 sp4  
  
I tried this on our test site consisting of a single WTS running Metaframe  
(no load balancing obviously) and a single BDC and could NOT replicate the  
fault as described.  
  
Are your WTS machines configured as BDC's or member servers?  
  
Aaron Power.  
  
-------------------------------------------------------------------------------  
  
Date: Fri, 11 Jun 1999 12:57:48 -0700  
From: Bill Stout <Bill.Stout@ARISTASOFT.COM>  
To: BUGTRAQ@netspace.org  
Subject: Re: Bug in WTS 4.0 on WinNT 4.0 sp4  
  
-----Original Message-----  
>From: mRm3n4c3 [mailto:mistr@MARMELADE.NET]  
<snip>  
>If you log on to the WTS and type the wrong password more than three times, the your  
account gets locked out. BUT, if you choose to continu trying anyway, and after some  
time manage to type in the correct password, the WTS will let you log on as an  
'anonymous user' account, using either a locally stored profile or a default  
profile.  
</snip>  
  
It appears to be working like it should. The 'Anonymous User' accounts are  
local guest accounts on the Citrix server.  
  
If you logon using only username/password, the correct behaviour is for NT  
to scan the local users for the username, then the domain. A failed logon  
using username/password only would traditionally use the 'guest' account.  
  
Extract from http://support.microsoft.com/support/kb/articles/q103/3/90.asp:  
"If the Domain specified in the SMB is NULL [None specified] then  
  
The Advanced Server will treat this a local network logon. It  
will check for a matching account in its own SAM Database.  
If it finds a matching account then  
The SMB password is compared to the SAM Database password.  
If the password matches then  
The Command Completed Successfully.  
If the password does NOT match then  
The User is prompted for a password.  
It is retested as above.  
System error 1326 has occurred. Logon failure: unknown  
user name or bad password.  
End  
If it does NOT find the account in the local SAM Database then  
The Advanced Server will Simultaneously ask another Advanced  
Server in each Domain that it Trusts if it has account that  
matches the SMB account.  
<snip>  
If no Trusted Domains respond to request to identify the  
account then  
Guest permissions are tested on the Original Advanced Server -  
not the Trusted server.  
If the Guest account is Enabled  
The Command Completed Successfully.  
If the Guest account is Disabled  
System error 1326 has occurred. Logon failure:  
unknown user name or bad password.  
End  
"  
  
Bill Stout  
  
`