COMMAND

    RedButton attack

SYSTEMS AFFECTED

    Win NT 4.0

PROBLEM

    John Howie mentioned  that Redbutton attack  was not so  new as it
    seems.   Problem is  well known  and has  been exploited  for some
    time by carrying out the following command line:

        net use \\servername\ipc$ "" /user:""

    and then firing  up user manager,  event viewer, registry  editor,
    or using the net command to target the remote machine.

    This works  only on  NT 4.0,  not NT  3.51. You  can write a small
    program that just calls WNetAddConnection2 with a blank (not NULL)
    username and password for NT 3.51. If you really want you can  use
    the api call NetUseAdd instead (like Red Button).

    There are a lot of hidden users/groups in NT and this is just  one
    of them.  As  for using Red Button  to obtain the username  of the
    administrator.  The  administrator  account's  SID  always ends in
    -500  (Guest  is  -501)  so  it  is  relatively  easy to see which
    account is  the administrator  account. The  builtin local  groups
    (documented  and  undocumented)  always  have  the same SID on all
    machines. Try getsid in the Resource Kit if you can't believe it.

SOLUTION

    Obtain from ftp.microsoft.com patch for NT 3.51:

        /bussys/winnt/winnt-public/fixes/usa/NT351/hotfixes-postSP5/sec-fix

    or for NT 4.0

        /bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP2/sec-fix/

    You may also apply SP3 for NT 4.0 that solves this problem.