COMMAND

    Schedular service (to get admin rights)

SYSTEMS AFFECTED

    Win NT

PROBLEM

    David Litchfield has recently found a way to for a normal user  to
    become a member  of the Administrators  group (local) without  the
    use of Getadmin.exe and it is believed the same method can be used
    to become a member of the Domain Administrators group. This method
    exploits the Scheduler service.

    1) If NTFS isn't used as the file system :

        a) Boot from a Windows 95 system disk.
        b) Copy musrmgr.exe to the %systemroot%\system32 directory.
        c) Rename atsvc.exe to something else eg. dave.exe
        d) Rename the copy of musrmgr.exe to atsvc.exe
        e) Restart  the computer.  The system  will try  to start  the
           Scheduler  service  (atsvc.exe)  but  start  User   Manager
           instead when the user logs  on. He has a brief  window (pun
           not intended) of a few  mintues in which to add  himself to
           the Administrators group. You  then shut down the  computer
           and restart it.

    This exploit works because the system starts the process with full
    privileges so the user has made no illegal calls.

    2) If the file system is NTFS :

        The  process  is  the  same  as  above  however you'll have to
        utilise ntfsdos.exe

    It is  believed this  process can  be used  to become  a member of
    the Domain admin  group..... tests will  show if this  is correct.
    If you could over-write the atsvc.exe program, you should probably
    be  able  to  over-write  the  FPNWCLNT.DLL  with one of your own.
    Since FPNWCLNT.DLL by default is installed on all PDCs, you simply
    place  your  own  in  there  that  collects the passwords as their
    changed.  Of course if you  have this level of access to  the box,
    you  can  also  run  PWDUMP  or equivalent (assuming SYSKEY hasn't
    been used).

    Another aproach by David was:

        - a  plain old  user has  write access  to the  winnt\system32
          directory
        - he renames logon.scr to logon.old.
        - he then renames usrmgr.exe (or musrmgr.exe on  Workstations)
          to logon.scr.
        - he  then  shuts  down  the  computer  using  the "close  all
          programs and log on as different user" option.
        - he then waits.....
        - the system will start logon.scr if left long enough.
        - user Manager will load......
        - the  user then  selects his  domain. (You  have to  type the
          domain name in)
        - he then adds himself to the Administrators group.
        - he then exits and logs back on.

    Some of you may be thinking that as soon as you move the mouse the
    "screen saver" should disappear but  because you can only get  rid
    of logon.scr with a ctrl+alt+del  you can then use the  mouse 'til
    your heart's content.

    No doubt  there are  lots of  services which  can be  over-written
    which will start up your own choice of app.

SOLUTION

    Physically secure your equipment from unauthorized access.   Basic
    C2  config  stuff  would  absolutely  prevent your exploit.  Don't
    allow  NT  to  boot  from  anything  other  than  its defined boot
    partition.  What are you doing with dual boot on a production box?
    Why would you have a FAT boot partition, ever?  Why is the  floppy
    still in the machine, or if  it is, why isn't the BIOS  preventing
    it from  being searched  at boot  (be aware  of danger  with AWARD
    default passwords)?