Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

zen25-hole.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 31 Views

Security hole in Zen 2.5 client allows unauthorized access on NT 4.0 workstations.

Show more

5 of 5AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`Date: Wed, 29 Jul 1998 18:02:07 +1100  
From: Dave Cottle <[email protected]>  
Subject: ALERT: security hole in zen 2.5 client for NT 4.0  
  
This was passed to Novell last week.  
  
here are the details:  
  
Situation:  
NT 4.0 Workstation  
Service Pack 3  
ZEN Client 2.5 installed  
connecting to a NW 4.11 server  
  
Security Hole:  
using the WINHLP32.EXE function for providing help in the  
authentication boxes allows access to resources without  
authentication through the help program's file menu.  
  
Vulnerability:  
the security issue is only relevant on WinNT workstations, and only  
the latest version of the NetWare client (4.30.4.10) is vulnerable. I  
believe that the security hole would allow access on NT 3.5x with a  
slightly more convoluted approach also (see the HELP FILE link exploit  
below).  
  
Reproducibility:  
always  
  
Method:  
at the logon screen, or the locked workstation screen:  
  
press ctl-alt-del to open up the authentication box  
use either the ? in the top right-hand corner or press F1 to reveal  
the help program.  
  
Choose the file->open option to reveal the explorer common dialog box.  
  
Either open a help file that contains a link to cmd.exe (eg the WinNT  
resource kit help files) or right-click on a folder and select "open"  
to bring up a separate explorer window.  
  
Close down the help function.  
  
You will now have either a command prompt or an explorer window  
without having to enter a usercode or password. If the workstation is  
locked, you now have access to the current user's desktop, and shoud  
also be active as the SYSTEM account. If there was no logged-on user,  
you now have interactive access as the SYSTEM account.  
  
Effect:  
NT client security can be bypassed, without requiring a usercode or  
password.  
  
this allows access to current user if workstation was locked,  
or the SYSTEM account if no user is logged on.  
Cheers, Dave  
-----------------------------------------------------------------  
A straight line may be the shortest distance between two points,  
but it is by no means the most interesting.  
-- Dr. Who  
-----------------------------------------------------------------  
Dave Cottle Consultant  
Computer Services, Room 205 University of Canterbury  
[email protected] Tel. 366 7001 ext. 8319  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
security vulnerability nt 4.0 zen client unauthorized access workstation locked system account
31
.json
Report