zen25-hole.txt

1999-08-17T00:00:00
ID PACKETSTORM:15361
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Wed, 29 Jul 1998 18:02:07 +1100  
From: Dave Cottle <d.cottle@cantva.canterbury.ac.nz>  
Subject: ALERT: security hole in zen 2.5 client for NT 4.0  
  
This was passed to Novell last week.  
  
here are the details:  
  
Situation:  
NT 4.0 Workstation  
Service Pack 3  
ZEN Client 2.5 installed  
connecting to a NW 4.11 server  
  
Security Hole:  
using the WINHLP32.EXE function for providing help in the  
authentication boxes allows access to resources without  
authentication through the help program's file menu.  
  
Vulnerability:  
the security issue is only relevant on WinNT workstations, and only  
the latest version of the NetWare client (4.30.4.10) is vulnerable. I  
believe that the security hole would allow access on NT 3.5x with a  
slightly more convoluted approach also (see the HELP FILE link exploit  
below).  
  
Reproducibility:  
always  
  
Method:  
at the logon screen, or the locked workstation screen:  
  
press ctl-alt-del to open up the authentication box  
use either the ? in the top right-hand corner or press F1 to reveal  
the help program.  
  
Choose the file->open option to reveal the explorer common dialog box.  
  
Either open a help file that contains a link to cmd.exe (eg the WinNT  
resource kit help files) or right-click on a folder and select "open"  
to bring up a separate explorer window.  
  
Close down the help function.  
  
You will now have either a command prompt or an explorer window  
without having to enter a usercode or password. If the workstation is  
locked, you now have access to the current user's desktop, and shoud  
also be active as the SYSTEM account. If there was no logged-on user,  
you now have interactive access as the SYSTEM account.  
  
Effect:  
NT client security can be bypassed, without requiring a usercode or  
password.  
  
this allows access to current user if workstation was locked,  
or the SYSTEM account if no user is logged on.  
Cheers, Dave  
-----------------------------------------------------------------  
A straight line may be the shortest distance between two points,  
but it is by no means the most interesting.  
-- Dr. Who  
-----------------------------------------------------------------  
Dave Cottle Consultant  
Computer Services, Room 205 University of Canterbury  
d.cottle@csc.canterbury.ac.nz Tel. 366 7001 ext. 8319  
`