NT Automated Tasks / Drive Mappings Vulnerability
BID:1050
Info
NT Automated Tasks / Drive Mappings Vulnerability
| Bugtraq ID: | 1050 |
| Class: | Failure to Handle Exceptional Conditions |
| CVE: |
CVE-2000-0197 |
| Remote: | No |
| Local: | Yes |
| Published: | Mar 14 2000 12:00AM |
| Updated: | Jul 11 2009 01:56AM |
| Credit: | Posted to NTBugtraq on March 14, 2000 by Shawn Wright <[email protected]>. |
| Vulnerable: |
Microsoft Windows NT 4.0 |
| Not Vulnerable: | |
Discussion
NT Automated Tasks / Drive Mappings Vulnerability
Any automated task that relies on mapped drives and runs at a higher privelege level than the logged-on user can be exploited by changing the drive mapping. By replicating the directory structure of the intended drive, and replacing the contents of the scheduled executables or configuration files with other data, it is possible for a local attacker to cause arbitrary code to be executed at an elevated privelege level.
For example:
\\Workstation has the following drive mapping:
S: \\Server\Scripts
and there is an AT job that runs S:\Daily.bat every day as the Local Administrator.
Now all the attacker has to do is replace the S: mapping with one that specifies a target where the attacker has write privileges (\\Workstation\C$ for example). Then if the batch file C:\Daily.bat is created, it will be run as Local Administrator.
Any automated task that relies on mapped drives and runs at a higher privelege level than the logged-on user can be exploited by changing the drive mapping. By replicating the directory structure of the intended drive, and replacing the contents of the scheduled executables or configuration files with other data, it is possible for a local attacker to cause arbitrary code to be executed at an elevated privelege level.
For example:
\\Workstation has the following drive mapping:
S: \\Server\Scripts
and there is an AT job that runs S:\Daily.bat every day as the Local Administrator.
Now all the attacker has to do is replace the S: mapping with one that specifies a target where the attacker has write privileges (\\Workstation\C$ for example). Then if the batch file C:\Daily.bat is created, it will be run as Local Administrator.
Solution / Fix
NT Automated Tasks / Drive Mappings Vulnerability
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
NT Automated Tasks / Drive Mappings Vulnerability
References:
References: